Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report POinv00393.exe

Overview

General Information

Sample Name:POinv00393.exe
Analysis ID:346695
MD5:e0db9d12220a5099bd1ebfefc0ccdcfe
SHA1:b0af96f187273082687f2c58faca71b837876429
SHA256:09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Adds a directory exclusion to Windows Defender
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • POinv00393.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
    • powershell.exe (PID: 6892 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6916 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7080 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POinv00393.exe (PID: 2100 cmdline: C:\Users\user\Desktop\POinv00393.exe MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
      • WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • POinv00393.exe (PID: 6464 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 5436 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 2296 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 1784 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x12ce0:$key: HawkEyeKeylogger
  • 0x14f2c:$salt: 099u787978786
  • 0x13347:$string1: HawkEye_Keylogger
  • 0x1419a:$string1: HawkEye_Keylogger
  • 0x14e8c:$string1: HawkEye_Keylogger
  • 0x13730:$string2: holdermail.txt
  • 0x13750:$string2: holdermail.txt
  • 0x13672:$string3: wallet.dat
  • 0x1368a:$string3: wallet.dat
  • 0x136a0:$string3: wallet.dat
  • 0x14a6e:$string4: Keylog Records
  • 0x14d86:$string4: Keylog Records
  • 0x14f84:$string5: do not script -->
  • 0x12cc8:$string6: \pidloc.txt
  • 0x12d3e:$string7: BSPLIT
  • 0x12d4e:$string7: BSPLIT
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x1339f:$hawkstr1: HawkEye Keylogger
    • 0x141e0:$hawkstr1: HawkEye Keylogger
    • 0x1450f:$hawkstr1: HawkEye Keylogger
    • 0x1466a:$hawkstr1: HawkEye Keylogger
    • 0x147cd:$hawkstr1: HawkEye Keylogger
    • 0x14a46:$hawkstr1: HawkEye Keylogger
    • 0x12f11:$hawkstr2: Dear HawkEye Customers!
    • 0x14562:$hawkstr2: Dear HawkEye Customers!
    • 0x146b9:$hawkstr2: Dear HawkEye Customers!
    • 0x14820:$hawkstr2: Dear HawkEye Customers!
    • 0x13032:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7be38:$key: HawkEyeKeylogger
    • 0xfe258:$key: HawkEyeKeylogger
    • 0x180478:$key: HawkEyeKeylogger
    • 0x7e084:$salt: 099u787978786
    • 0x1004a4:$salt: 099u787978786
    • 0x1826c4:$salt: 099u787978786
    • 0x7c49f:$string1: HawkEye_Keylogger
    • 0x7d2f2:$string1: HawkEye_Keylogger
    • 0x7dfe4:$string1: HawkEye_Keylogger
    • 0xfe8bf:$string1: HawkEye_Keylogger
    • 0xff712:$string1: HawkEye_Keylogger
    • 0x100404:$string1: HawkEye_Keylogger
    • 0x180adf:$string1: HawkEye_Keylogger
    • 0x181932:$string1: HawkEye_Keylogger
    • 0x182624:$string1: HawkEye_Keylogger
    • 0x7c888:$string2: holdermail.txt
    • 0x7c8a8:$string2: holdermail.txt
    • 0xfeca8:$string2: holdermail.txt
    • 0xfecc8:$string2: holdermail.txt
    • 0x180ec8:$string2: holdermail.txt
    • 0x180ee8:$string2: holdermail.txt
    00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 8 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\POinv00393.exe' , ParentImage: C:\Users\user\Desktop\POinv00393.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, ProcessId: 6892

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: WerFault.exe.5556.34.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeReversingLabs: Detection: 17%
      Multi AV Scanner detection for submitted fileShow sources
      Source: POinv00393.exeVirustotal: Detection: 34%Perma Link
      Source: POinv00393.exeReversingLabs: Detection: 17%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: POinv00393.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses insecure TLS / SSL version for HTTPS connectionShow sources
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: POinv00393.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpBinary or memory string: [autorun]

      Networking:

      barindex
      Connects to a pastebin service (likely for C&C)Show sources
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587
      Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
      Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
      Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
      Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: pastebin.com
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: powershell.exe, 00000001.00000002.498956817.00000000031E6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
      Source: POinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
      Source: POinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmpString found in binary or memory: http://schemas.micr
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
      Source: powershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: POinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnxa
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com(
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF:
      Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: POinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: POinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/o
      Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0
      Source: POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
      Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
      Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comednxn
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaU
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
      Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu:
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comy
      Source: POinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
      Source: POinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: POinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnOx
      Source: POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-nO
      Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/2
      Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
      Source: POinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmWQ
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF4
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
      Source: POinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
      Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
      Source: POinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.X
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: POinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: POinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.cQ
      Source: POinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krW
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
      Source: POinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: POinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.del
      Source: POinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected HawkEye KeyloggerShow sources
      Source: Yara matchFile source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY
      Installs a global keyboard hookShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\POinv00393.exe

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C88251
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C87AEB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA3D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAF3D7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAE66B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA960
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA7FE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA6C30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA51C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA51B7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA3D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAF3D7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAC560
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA8810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DC0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D2B48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DDEB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D5ED0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DA320
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D1A50
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D9818
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D67E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DA618
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DD420
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DC865B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03111B78
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03113AD0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316A358
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316B750
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03160EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03160040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316AE20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03160EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03166C68
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095A048
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095AD89
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009505D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00959A58
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009505D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095A740
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956748
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009619E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00963938
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009883E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098F528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098C610
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098A7D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00986738
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098E810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098AD60
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009870A0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009851C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009851C7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098F528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098A7D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00988C10
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00986C30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009E0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0438CE38
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_043825D5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04384008
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009E8ADB
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 11_2_03518108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 11_2_03517AE8
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 14_2_01598108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 14_2_01597AE8
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 21_2_00F28108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 21_2_00F27AF0
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 31_2_01518108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 31_2_01517AF0
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
      Source: POinv00393.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POinv00393.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.335186152.0000000006D20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000000.206073920.0000000000E72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedbdc ddb.exe2 vs POinv00393.exe
      Source: POinv00393.exe, 00000009.00000000.243465863.0000000000802000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000000B.00000000.251187170.0000000000E12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000000E.00000000.268933713.0000000000782000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 00000015.00000002.560738791.0000000000112000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000002.409137032.00000000053A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000002.343340975.000000000186A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000000.306230207.0000000000CC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000001F.00000000.325285879.0000000000742000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exe, 0000001F.00000002.611727506.00000000012BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Local\Temp\16654f11-3a02-4cab-b1ad-a4500300c0c5Jump to behavior
      Source: POinv00393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: POinv00393.exeVirustotal: Detection: 34%
      Source: POinv00393.exeReversingLabs: Detection: 17%
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Users\user\Desktop\POinv00393.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\POinv00393.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: POinv00393.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: POinv00393.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: POinv00393.exeStatic file information: File size 4552704 > 1048576
      Source: POinv00393.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x43dc00
      Source: POinv00393.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C829C9 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C829CB pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C829E9 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C8298B pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C829A9 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C829AB pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82968 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C808FD push eax; mov dword ptr [esp], ecx
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C80897 push eax; mov dword ptr [esp], ecx
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82B88 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82B49 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82B4D pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82B08 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82B28 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82A8D pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82A48 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82A09 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82A28 pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C82A2B pushfd ; retf
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_06DA6E55 push ebp; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D42F0 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D7988 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D79E0 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D76AA pushad ; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D769A push esp; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D8401 push FFFFFF8Bh; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311CA98 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0311C818 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03117E07 push eax; mov dword ptr [esp], ecx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009524BF push F0007067h; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0096B208 push eax; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to dropped file

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Users\user\Desktop\POinv00393.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
      Creates autostart registry keys with suspicious namesShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
      Creates multiple autostart registry keysShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exeJump to behavior
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to dropped file
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exeJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Desktop\POinv00393.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POinv00393.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Source: C:\Users\user\Desktop\POinv00393.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\POinv00393.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POinv00393.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POinv00393.exeThread delayed: delay time: 300000
      Source: C:\Users\user\Desktop\POinv00393.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POinv00393.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4048
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3355
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3828
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3055
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4401
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2511
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4178
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2748
      Source: C:\Users\user\Desktop\POinv00393.exeWindow / User API: threadDelayed 651
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 6780Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5460Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5528Thread sleep count: 4401 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2052Thread sleep count: 56 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep count: 2511 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952Thread sleep count: 4178 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep count: 2748 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep count: 51 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1012Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 6536Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 2288Thread sleep time: -120000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 64Thread sleep time: -140000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 3216Thread sleep time: -300000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -8301034833169293s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -100000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99844s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99719s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99500s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99391s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99266s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99141s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -99031s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -98844s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -98625s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -98391s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -97891s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -97750s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -97547s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024Thread sleep time: -97297s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 6216Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exe TID: 6336Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\POinv00393.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\POinv00393.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\WerFault.exeLast function: Thread delayed
      Source: powershell.exe, 00000007.00000003.529306066.0000000005773000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: POinv00393.exe, 0000000E.00000002.600693562.00000000011DD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDea
      Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: POinv00393.exe, 00000000.00000002.336114660.0000000006E51000.00000004.00000001.sdmpBinary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
      Source: POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
      Source: POinv00393.exe, 0000001F.00000002.613897002.000000000134E000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: POinv00393.exe, 00000000.00000002.336114660.0000000006E51000.00000004.00000001.sdmpBinary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
      Source: WerFault.exe, 00000022.00000002.621186623.0000000004A87000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0_
      Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
      Source: POinv00393.exe, 0000000B.00000002.596909677.00000000018C3000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.614447206.000000000139F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.529306066.0000000005773000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\POinv00393.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\POinv00393.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 26_2_058853D0 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\POinv00393.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POinv00393.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POinv00393.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POinv00393.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POinv00393.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Adds a directory exclusion to Windows DefenderShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeMemory written: C:\Users\user\Desktop\POinv00393.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\POinv00393.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\POinv00393.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
      Source: C:\Users\user\Desktop\POinv00393.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected HawkEye KeyloggerShow sources
      Source: Yara matchFile source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY
      Yara detected MailPassViewShow sources
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Yara detected WebBrowserPassView password recovery toolShow sources
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected HawkEye RatShow sources
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
      Yara detected HawkEye KeyloggerShow sources
      Source: Yara matchFile source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Replication Through Removable Media1Windows Management Instrumentation21Startup Items1Startup Items1Disable or Modify Tools11Input Capture11Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder421Process Injection111Obfuscated Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder421Masquerading1Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion5NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsSecurity Software Discovery141SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsVirtualization/Sandbox Evasion5VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346695 Sample: POinv00393.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 45 prda.aadg.msidentity.com 2->45 47 pastebin.com 2->47 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 11 other signatures 2->65 8 POinv00393.exe 24 7 2->8         started        13 POinv00393.exe 2->13         started        15 POinv00393.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 55 pastebin.com 104.23.98.190, 443, 49713, 49746 CLOUDFLARENETUS United States 8->55 39 C:\Users\user\AppData\...\POinv00393.exe, PE32 8->39 dropped 41 C:\Users\...\POinv00393.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\...\POinv00393.exe.log, ASCII 8->43 dropped 71 Creates an undocumented autostart registry key 8->71 73 Creates autostart registry keys with suspicious names 8->73 75 Creates multiple autostart registry keys 8->75 77 3 other signatures 8->77 19 POinv00393.exe 8->19         started        23 powershell.exe 23 8->23         started        25 powershell.exe 24 8->25         started        27 2 other processes 8->27 57 104.23.99.190, 443, 49742 CLOUDFLARENETUS United States 13->57 file6 signatures7 process8 dnsIp9 49 84.102.13.0.in-addr.arpa 19->49 51 mail.privateemail.com 198.54.122.60, 49733, 587 NAMECHEAP-NETUS United States 19->51 53 2 other IPs or domains 19->53 67 Changes the view of files in windows explorer (hidden files and folders) 19->67 69 Installs a global keyboard hook 19->69 29 WerFault.exe 19->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        signatures10 process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      POinv00393.exe34%VirustotalBrowse
      POinv00393.exe18%ReversingLabsWin32.Trojan.Wacatac
      POinv00393.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe18%ReversingLabsWin32.Trojan.Wacatac

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      84.102.13.0.in-addr.arpa0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.fontbureau.comI.TTF0%Avira URL Cloudsafe
      http://www.fontbureau.comgritaU0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.comessed0%URL Reputationsafe
      http://www.fontbureau.comessed0%URL Reputationsafe
      http://www.fontbureau.comessed0%URL Reputationsafe
      http://www.fontbureau.comessed0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.monotype.X0%Avira URL Cloudsafe
      http://www.fontbureau.comednxn0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnOx0%Avira URL Cloudsafe
      http://www.sandoll.co.krW0%Avira URL Cloudsafe
      http://www.fontbureau.com(0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.fontbureau.comueed0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/U0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://www.founder.com.c0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/sl-s0%Avira URL Cloudsafe
      http://www.goodfont.co.krF40%Avira URL Cloudsafe
      http://www.goodfont.co.krK0%Avira URL Cloudsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://en.wikipedia0%URL Reputationsafe
      http://en.wikipedia0%URL Reputationsafe
      http://en.wikipedia0%URL Reputationsafe
      http://schemas.micr0%URL Reputationsafe
      http://schemas.micr0%URL Reputationsafe
      http://schemas.micr0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.sandoll.cQ0%Avira URL Cloudsafe
      http://en.wikip0%Avira URL Cloudsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://www.founder.com.cn/cnl-nO0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/y0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.galapagosdesign.com/20%Avira URL Cloudsafe
      http://www.monotype.0%URL Reputationsafe
      http://www.monotype.0%URL Reputationsafe
      http://www.monotype.0%URL Reputationsafe
      http://www.fontbureau.comoitu:0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.com.TTF:0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/:0%Avira URL Cloudsafe
      http://www.sandoll.co.krim0%Avira URL Cloudsafe
      http://www.fontbureau.comy0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
      http://www.urwpp.del0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      mail.privateemail.com
      		198.54.122.60
      		truefalse
        		high
        pastebin.com
        		104.23.98.190
        		truefalse
          		high
          84.102.13.0.in-addr.arpa
          		unknown
          		unknowntrueunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comI.TTFPOinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.comgritaUPOinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comPOinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersPOinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comessedPOinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.goodfont.co.krPOinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comPOinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                      		high
                      http://www.monotype.XPOinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comednxnPOinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnOxPOinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sandoll.co.krWPOinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com(POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                            		high
                            http://whatismyipaddress.com/-POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krPOinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.nirsoft.net/POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.urwpp.dePOinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnPOinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comPOinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com.TTFPOinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comueedPOinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designerssPOinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersrPOinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comPOinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comFPOinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/UPOinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cPOinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/sl-sPOinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.krF4POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.goodfont.co.krKPOinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comionPOinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://en.wikipediaPOinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.micrpowershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comaPOinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sandoll.cQPOinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://en.wikipPOinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comdPOinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnl-nOPOinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comlPOinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/yPOinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnPOinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlPOinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/2POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlPOinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.monotype.POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.comoitu:POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com.TTF:POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/:POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.sandoll.co.krimPOinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comyPOinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/hPOinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers=POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.urwpp.delPOinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers/oPOinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers0POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.carterandcone.comnxaPOinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.comitudPOinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/staff/dennis.htmWQPOinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.23.99.190
                                                                          		unknownUnited States
                                                                          		13335CLOUDFLARENETUSfalse
                                                                          104.23.98.190
                                                                          		unknownUnited States
                                                                          		13335CLOUDFLARENETUSfalse
                                                                          198.54.122.60
                                                                          		unknownUnited States
                                                                          		22612NAMECHEAP-NETUSfalse

                                                                          Private

                                                                          IP
                                                                          192.168.2.1
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                          Analysis ID:346695
                                                                          Start date:01.02.2021
                                                                          Start time:13:28:16
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 16m 2s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:POinv00393.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:40
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5
                                                                          EGA Information:Failed
                                                                          HDC Information:Failed
                                                                          HCA Information:
                                                                          • Successful, ratio: 98%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 40.88.32.150, 104.43.139.144, 51.11.168.160, 92.122.144.200, 2.20.143.16, 2.20.142.210, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.104.144.132, 20.190.159.132, 40.126.31.6, 40.126.31.1, 40.126.31.137, 20.190.159.136, 40.126.31.141, 20.190.159.138, 40.126.31.135, 52.155.217.156
                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          13:29:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\POinv00393.exe
                                                                          13:29:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
                                                                          13:29:27API Interceptor21x Sleep call for process: POinv00393.exe modified
                                                                          13:29:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\POinv00393.exe
                                                                          13:29:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
                                                                          13:29:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe
                                                                          13:30:13API Interceptor208x Sleep call for process: powershell.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          104.23.99.1907fYoHeaCBG.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          r0QRptqiCl.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          kigAlmMyB1.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          DovV3LuJ6I.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          66f8F6WvC1.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          uqXsQvWMnL.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          I8r7e1pqac.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          VrR9J0FnSG.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          dEpoPWHmoI.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          zZp3oXclum.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          aTZQZVVriQ.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          U23peRXm5Z.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          eXP2pYucWu.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          L6UBlWyCpV.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          104.23.98.190b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          4av8Sn32by.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          22NO7gVJ7r.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          rE7DwszvrX.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          VjPHSJkwr6.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          wf86K0dpOP.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          VrR9J0FnSG.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          6C1MYmrVl1.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0
                                                                          aTZQZVVriQ.exeGet hashmaliciousBrowse
                                                                          • pastebin.com/raw/XMKKNkb0

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          pastebin.comQuotationCVXpo00029392.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          cbUJVTVJ.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          SecuriteInfo.com.Trojan.Packed2.42783.20578.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          INWARD-OUTWARD ANALYSIS.xlsxGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          svchost.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          0238-35-pdf.scr.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          fod1jZt8yK.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          Enq No 34 22-01-2021.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.mm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          Design Specification_A2000006.docGet hashmaliciousBrowse
                                                                          • 104.23.99.190
                                                                          mail.privateemail.comDHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Pending Orders Statement -40064778.docGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          documenting.docGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          74725794.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Enq No 34 22-01-2021.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          pickup receipt,DOC.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Pi_74725794.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          74725794.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          New FedEx paper work review.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          New paper work document attached.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          DHL_AWB_1928493383.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          PGXPHWCclJQdkUDcrlQETWlRbmXQw.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          CLOUDFLARENETUSMIR-CAR_MRC2021751030XMY,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.129.233
                                                                          FACTURA.xlsxGet hashmaliciousBrowse
                                                                          • 104.22.1.232
                                                                          PO 642021.exeGet hashmaliciousBrowse
                                                                          • 104.21.19.200
                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          sample20210201-01.xlsmGet hashmaliciousBrowse
                                                                          • 172.67.189.234
                                                                          NsNu725j8o.exeGet hashmaliciousBrowse
                                                                          • 172.67.129.48
                                                                          FPZaxqP7uB.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          AWB_SHIPPING_DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                                                          • 66.235.200.146
                                                                          DebitNote11_Owners Invoices.exeGet hashmaliciousBrowse
                                                                          • 104.21.5.94
                                                                          HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                          • 104.21.27.226
                                                                          New Order.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          IMG_1660392.docGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          Bp93hBPMoi.exeGet hashmaliciousBrowse
                                                                          • 104.21.86.207
                                                                          mEPx5H8svq.exeGet hashmaliciousBrowse
                                                                          • 104.21.45.223
                                                                          HoFD3n7z6A.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          BLWnF55j6W.exeGet hashmaliciousBrowse
                                                                          • 104.21.45.223
                                                                          2Debit Note_OwnersInvoices.exeGet hashmaliciousBrowse
                                                                          • 172.67.142.171
                                                                          20082020141903,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.129.233
                                                                          PROFORMA INVOICE # ID40,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.135.233
                                                                          NAMECHEAP-NETUSSwift MT 199_Pdf.exeGet hashmaliciousBrowse
                                                                          • 198.54.116.236
                                                                          Inquiry.exeGet hashmaliciousBrowse
                                                                          • 198.54.126.106
                                                                          AWB_SHIPPING_DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.217
                                                                          imTmqTngvS.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.216
                                                                          DHL Details.exeGet hashmaliciousBrowse
                                                                          • 198.54.114.191
                                                                          REMITTANCE ADVICE REF0000360261_PDF.xlsxGet hashmaliciousBrowse
                                                                          • 198.54.117.215
                                                                          Swift copy.xlsGet hashmaliciousBrowse
                                                                          • 199.188.200.124
                                                                          Orders.exeGet hashmaliciousBrowse
                                                                          • 199.193.7.228
                                                                          DHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          DHL Details.exeGet hashmaliciousBrowse
                                                                          • 198.54.126.165
                                                                          order.docGet hashmaliciousBrowse
                                                                          • 199.188.201.34
                                                                          aOn5CfTiwS.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.244
                                                                          PO_55004.exeGet hashmaliciousBrowse
                                                                          • 68.65.122.156
                                                                          SecuriteInfo.com.Trojan.MulDrop16.10041.23448.exeGet hashmaliciousBrowse
                                                                          • 185.61.153.111
                                                                          SecuriteInfo.com.Trojan.Inject4.6821.6799.exeGet hashmaliciousBrowse
                                                                          • 199.188.200.150
                                                                          DCAjXz5y4I.exeGet hashmaliciousBrowse
                                                                          • 162.213.255.196
                                                                          NEW ORDER.xlsmGet hashmaliciousBrowse
                                                                          • 104.219.248.89
                                                                          Claim_250196008_01282021.xlsGet hashmaliciousBrowse
                                                                          • 162.0.226.110
                                                                          Claim_250196008_01282021.xlsGet hashmaliciousBrowse
                                                                          • 162.0.226.110
                                                                          lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.215
                                                                          CLOUDFLARENETUSMIR-CAR_MRC2021751030XMY,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.129.233
                                                                          FACTURA.xlsxGet hashmaliciousBrowse
                                                                          • 104.22.1.232
                                                                          PO 642021.exeGet hashmaliciousBrowse
                                                                          • 104.21.19.200
                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          sample20210201-01.xlsmGet hashmaliciousBrowse
                                                                          • 172.67.189.234
                                                                          NsNu725j8o.exeGet hashmaliciousBrowse
                                                                          • 172.67.129.48
                                                                          FPZaxqP7uB.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          AWB_SHIPPING_DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                                                          • 66.235.200.146
                                                                          DebitNote11_Owners Invoices.exeGet hashmaliciousBrowse
                                                                          • 104.21.5.94
                                                                          HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                          • 104.21.27.226
                                                                          New Order.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          IMG_1660392.docGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          Bp93hBPMoi.exeGet hashmaliciousBrowse
                                                                          • 104.21.86.207
                                                                          mEPx5H8svq.exeGet hashmaliciousBrowse
                                                                          • 104.21.45.223
                                                                          HoFD3n7z6A.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          BLWnF55j6W.exeGet hashmaliciousBrowse
                                                                          • 104.21.45.223
                                                                          2Debit Note_OwnersInvoices.exeGet hashmaliciousBrowse
                                                                          • 172.67.142.171
                                                                          20082020141903,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.129.233
                                                                          PROFORMA INVOICE # ID40,pdf.exeGet hashmaliciousBrowse
                                                                          • 162.159.135.233

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          54328bd36c14bd82ddaa0c04b25ed9adPO 642021.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          00000000000000000090.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          New Order.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          IMG_1660392.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          mEPx5H8svq.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          NS_PO_86655443.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          INV#1191189.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          NEW PURCHASE#U00c3#U00bf #U00c3#U00bfORDER.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          CITI SOLUTION COMPANY PROFILE.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          QuotationCVXpo00029392.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          Orders.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          DOCUMENT.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          Hydro-463459.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          Payment Document.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          CHIKWA (2).exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          gGQWGJWR4jzvzse.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          cbUJVTVJ.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          SecuriteInfo.com.Trojan.Packed2.42783.20578.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          file.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190
                                                                          PURCHASE ORDER..exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          • 104.23.99.190

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AF9.tmp.dmp
                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                          File Type:Mini DuMP crash report, 14 streams, Mon Feb 1 21:30:59 2021, 0x1205a4 type
                                                                          Category:dropped
                                                                          Size (bytes):537274
                                                                          Entropy (8bit):3.9310595429624575
                                                                          Encrypted:false
                                                                          SSDEEP:3072:L++noJgF6OH6CvXiyek0sjd+ptBiDNuk0rbA9gIOgF5iRRgsb0OPvyJSUCgUrwZ9:L+iLUvCvlV0dpbDrbA9RpD6bNTjk1N
                                                                          MD5:4170235DECFA153A91261EE362565641
                                                                          SHA1:C4F7ABBF1F75FA08B540E2C09A3DC6447CE53518
                                                                          SHA-256:C4061794E5D6A7C38311A28EE04AB4707AEAB633E5DF323F968E884BB608E9B3
                                                                          SHA-512:88722DAD35F603F6BAB9BEC992262A94F2021FA3F5327FAB2638AB155D4F85A18ECA5772F26CC74C74E4729CAACECFAD91EE6ABF2E63AA4FAAE024D298201A78
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: MDMP....... ........s.`...................U...........B......\/......GenuineIntelW...........T.......4....r.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC13.tmp.WERInternalMetadata.xml
                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8360
                                                                          Entropy (8bit):3.690213391871293
                                                                          Encrypted:false
                                                                          SSDEEP:192:Rrl7r3GLNiFjp6x06Yrm6OgmfZeex8S4CprX89bgksf0amAm:RrlsNi5p6C6YK6OgmffWSIgXfXI
                                                                          MD5:80D4AD7A73773992C856046E6E725643
                                                                          SHA1:34C802EE7CCAB28F42FCC49B7A53CF1D6F93B370
                                                                          SHA-256:8357FAE75D84A0AD351DCB4F4D995F15DB75066FD25E637CBD0CEF03997ABE63
                                                                          SHA-512:AB0925156DB78C8275AE77EB57AC1ACAABB20E85C051F7578915C18F60ED9258383C07E7E3AECE77623C58EBD75B998D0624FEDB189F917474057BA67E302CF1
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC7D.tmp.xml
                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4732
                                                                          Entropy (8bit):4.463218689409153
                                                                          Encrypted:false
                                                                          SSDEEP:48:cvIwSD8zspNJgtWI9cqWSC8Bhs8fm8M4JwquFB+q8v2/JhDg+oIrd:uITfJzLSN7RJwnKuJhDg+xrd
                                                                          MD5:3DAC03AA4D4A5D77A84C1C14B8B998CB
                                                                          SHA1:1E66988AAD28CCAF1995F35C7BFECE34FB604467
                                                                          SHA-256:D559D3756FCDBB5F2D9D0D66674D21DC27AFD5C4BEDDA0BD785DAEB464C30C7E
                                                                          SHA-512:FD75BFAE58A93889EB78FE1AF54DD69E4857A28731D1AB834FA3EB27851F906A2468BCCA8DA470F9BD42D5536E9A70CA1B1ADAC6473CF90815240599CBC8BE05
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POinv00393.exe.log
                                                                          Process:C:\Users\user\Desktop\POinv00393.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1039
                                                                          Entropy (8bit):5.365622957937216
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4KnKIE4oKFKHKoZAE4Kzr7a:Mgv2HKXwYHKhQnoIHKntHoxHhAHKzva
                                                                          MD5:2AAAF19599DBB7B2B9269F77209C4FBA
                                                                          SHA1:17286C6FB357C72FFC81EE46EF05575A1AE134FD
                                                                          SHA-256:5B8D713F6F10790AF314D4AD256EB7A6BB156912034148D50955AF724FD0F2A4
                                                                          SHA-512:8C2E41464E18768F1ABA2CEC8DBBC8C234F538AB01F381ECCF22F865E2624EEFC362E6099C94C1603359FB42C55D2E8F142E44A7DA2B746DFE858811BDFDEBBF
                                                                          Malicious:true
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):14734
                                                                          Entropy (8bit):4.993014478972177
                                                                          Encrypted:false
                                                                          SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                          MD5:8D5E194411E038C060288366D6766D3D
                                                                          SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                          SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                          SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                          Malicious:false
                                                                          Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):20608
                                                                          Entropy (8bit):5.577957281049141
                                                                          Encrypted:false
                                                                          SSDEEP:384:2t9D+w+8aWA0kzKJwSBKniultIo3D7Y9gxSJUeRe1qMymF+ZSRx1ldM:yjA+w4Kiultp33xXe+N+9
                                                                          MD5:19620665888D6D08F76E36D7436A40C8
                                                                          SHA1:04DC1F73E61645D46EA229427E62BADF8DD1D42C
                                                                          SHA-256:9CD284466BA35D94F39FFCB8513B387F24F8B3A4F23B46FEBC2600D0985878B8
                                                                          SHA-512:D281644896FDDC7BDCF0E602B1FAC36CB4E7BC9107C1E3AB5017F071F743C3689BF4BAE452D9456A8F24160AFF97B28BFA07AA2F00AA5892EF5D518D5AE12614
                                                                          Malicious:false
                                                                          Preview: @...e.......................R.B.........<............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)q.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jbb1rur.kxs.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gd4shtk.lf5.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap14tuqv.fkf.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btp5zmxs.mrt.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igqs5mg1.0fv.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ita4axrx.vfc.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0eyjx0q.um5.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrwl3rrp.fl5.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe
                                                                          Process:C:\Users\user\Desktop\POinv00393.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4552704
                                                                          Entropy (8bit):2.8112977525077643
                                                                          Encrypted:false
                                                                          SSDEEP:6144:45eP+kQFHJWrhOJUFCfAYes4yP5GgU6NbimHWMJ97/1W3lTYSKVSIrSFoiGPciaW:45eP+kOnEC
                                                                          MD5:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          SHA1:B0AF96F187273082687F2C58FACA71B837876429
                                                                          SHA-256:09969E8D7AF6E0C3EF34C344FE378DD23B6F93ABCDA793C052E36D1777C35CE7
                                                                          SHA-512:297E6B7A0A22BDD42572C761894826131EB18986A8D0CCD0F092FF21249FA38F1911CBEB14E29571843F2A3D5C0FEBE50D1859757B35A52F952D54521BC2A286
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 18%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sU.`.........."...P...C...........C.. ....D...@.. ........................E...........@.................................`.C.K.....D. .....................E...................................................... ............... ..H............text.....C.. ....C................. ..`.rsrc... .....D.......C.............@..@.reloc........E......vE.............@..B..................C.....H........8....C.....$....................................................**....(....*~~g...:....(2...s.....g...~g...*. ....*.....90...((...9........r.FCp....(....(....*........(....*....*2rtGCp.()...*2r.GCp.()...*2r.GCp.()...*2r.HCp.()...*......(....*..0..........(#...("...(!...( ...(....(....(....(....(....(....(...........d...(....(....(...........c...(....(....(...........b...(....(....(...........a...(....(....(...........`...(....(....(..........._...(....(....(.........
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\POinv00393.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\AppData\Roaming\pid.txt
                                                                          Process:C:\Users\user\Desktop\POinv00393.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):1.5
                                                                          Encrypted:false
                                                                          SSDEEP:3:E:E
                                                                          MD5:2CAD8FA47BBEF282BADBB8DE5374B894
                                                                          SHA1:89B98F7BE8AFC23EBEFC3E02F86EBB89CBE74176
                                                                          SHA-256:4F5131EA0C5A3E7F4C5F86029AE1BE2A60E67F023073BBB074A3A929089E5BC1
                                                                          SHA-512:149D27069D40BCB60EA6A635B8E34E8B31FAD19D388C36B3FC8D6DF21F84D4A8DBC8BD05B127102960C9060771C76A8CC836F14B23D1EEA2B0D6CFA5C2B0BCBB
                                                                          Malicious:false
                                                                          Preview: 2100
                                                                          C:\Users\user\AppData\Roaming\pidloc.txt
                                                                          Process:C:\Users\user\Desktop\POinv00393.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):37
                                                                          Entropy (8bit):4.486348298002912
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNWXp5v1qKrWcBC:oNWXpFgKrY
                                                                          MD5:41637FB0193F907F1ABEB6F39EEA4577
                                                                          SHA1:4CEED84E860A6DE18CBD6E9DF4FE86B698B25D0B
                                                                          SHA-256:FDB0215F49C0EE51BC759CDA39669B5220FCF7591B3F22A22B06E372697B4B2F
                                                                          SHA-512:0B7627D614BF73329BF223A9DD2692241E63D8707377DF86F4CD7D244C4E872BE4E2FA417D5DE939325E7F95B9D4DA6FD6AD4B7BC22A7D8E06AF3A56BD0B4C0B
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\Desktop\POinv00393.exe
                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.878164.GqBDotby.20210201132918.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3809
                                                                          Entropy (8bit):5.339806385613069
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZ+haNn2qDo1ZpO1ZIhaNn2qDo1ZmqTp0cp0cp07TZpq:Mlly/q
                                                                          MD5:5A3DCAAE0A180D627E433BF5B402255C
                                                                          SHA1:C32CA03F2A01A4865B4A4140EA32A019152B3079
                                                                          SHA-256:CBA172347D512F02BD657F1FA1861B7DA7F0221D23D9614195ADC9A7674FD386
                                                                          SHA-512:BBC8450AAA16B0A3D3BE97845A8B6AA1664970FA9369BAEA9146A8FCD47A4ACB925E69DAC1C363D4C7CA0A6F7D19E62C4503DBDFA0D32BA5840ED13DA206BAF7
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201132952..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6980..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201132953..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..**********************..Command start time: 2021
                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RDa_5qiQ.20210201132920.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5127
                                                                          Entropy (8bit):5.417997189198616
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZchaNkqDo1ZqZphaNkqDo1ZZqUSjZ+haNkqDo1Zs3C9:3
                                                                          MD5:6F5B038D676CABE9FE4AF2C24545A590
                                                                          SHA1:02B83A0FB6706B92BF51AACAECA5C00BC7DD7490
                                                                          SHA-256:DDED7AD2F51FCCF981F5BFDC8312247CC671FF02A871EC733870F3FDE4C1F6E1
                                                                          SHA-512:7D37E4B98E05AB946FD7F3AE82D4FB232F49C64265F80FFD33EE156BCDE68FF7A7DE85814A2C0780C3106690D6E9F0D41C29FF2B3F15C012A21ECA83CD6B99C0
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201132954..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\POinv00393.exe -Force..Process ID: 7080..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201132955..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\POinv00393.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210201133945..Username: computer\user..RunAs User: computer\user.
                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RU3nUHy1.20210201132916.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3809
                                                                          Entropy (8bit):5.340275685599787
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZOhaNneqDo1ZvZ1ZehaNneqDo1Z8qTp0cp0cp02ZF:Nll9
                                                                          MD5:714E2032E0E9D32A72BEBE0E8CCBF0BD
                                                                          SHA1:0A99BF1E3D745DE47BAD3AA441075A7EE13D1685
                                                                          SHA-256:7FC0B1528ED7ACB4E1D1228FCE35B417158D06057B4CC521314674BE59AF5DD0
                                                                          SHA-512:C74A391C87C9D4003F3EFC503166746986066B1AF09CB2938DA60A3C09AEBB552E0796DA53764169BF6CE889145F61C37B0BF1699E6F705FE00E3E35EA7B07A8
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201132945..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6892..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201132946..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..**********************..Command start time: 2021
                                                                          C:\Users\user\Documents\20210201\PowerShell_transcript.878164.c22VO1SZ.20210201132917.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3809
                                                                          Entropy (8bit):5.339367409959746
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZ/haNnzqDo1ZpO1ZjhaNnzqDo1ZXqTp0cp0cp04ZI:NllC
                                                                          MD5:A803ABA6CCBBBD437B5FEDB28EF7551E
                                                                          SHA1:1A2EF0D582DC12737036765A9CFF386F8C718891
                                                                          SHA-256:B24F498A88C1404D59DF3CD42346D6DF6FF809F970E8A4EC0813F104000E1F14
                                                                          SHA-512:77B79CE756D75E5B725F191198736AAE3D6854177286C634E33BEC483E8EF2C3305499716F8C431FCB34C55319B3591FDF95300FE544144D086467C283737F33
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201132953..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210201132953..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..**********************..Command start time: 2021

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):2.8112977525077643
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:POinv00393.exe
                                                                          File size:4552704
                                                                          MD5:e0db9d12220a5099bd1ebfefc0ccdcfe
                                                                          SHA1:b0af96f187273082687f2c58faca71b837876429
                                                                          SHA256:09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
                                                                          SHA512:297e6b7a0a22bdd42572c761894826131eb18986a8d0ccd0f092ff21249fa38f1911cbeb14e29571843f2a3d5c0febe50d1859757b35a52f952d54521bc2a286
                                                                          SSDEEP:6144:45eP+kQFHJWrhOJUFCfAYes4yP5GgU6NbimHWMJ97/1W3lTYSKVSIrSFoiGPciaW:45eP+kOnEC
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sU.`.........."...P...C...........C.. ....D...@.. ........................E...........@................................

                                                                          File Icon

                                                                          Icon Hash:1731ec421a143187

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x83fbae
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x60175573 [Mon Feb 1 01:12:19 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x43fb600x4b.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4400000x19720.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x45a0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x43dbb40x43dc00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x4400000x197200x19800False0.400821461397data4.61510693339IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x45a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x4401f00x468GLS_BINARY_LSB_FIRST
                                                                          RT_ICON0x4406580x10a8data
                                                                          RT_ICON0x4417000x25a8data
                                                                          RT_ICON0x443ca80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                                                          RT_ICON0x447ed00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554431, next used block 33554431
                                                                          RT_GROUP_ICON0x4586f80x4cdata
                                                                          RT_VERSION0x4587440x324data
                                                                          RT_MANIFEST0x458a680xcb8XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2017
                                                                          Assembly Version1.0.0.0
                                                                          InternalNameRunFirst.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameWindowsApp4
                                                                          ProductVersion1.0.0.0
                                                                          FileDescriptionWindowsApp4
                                                                          OriginalFilenameRunFirst.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 1, 2021 13:29:16.513447046 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.553508997 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.553692102 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.601013899 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.641140938 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.645549059 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.645612955 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.645644903 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.645734072 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.650084972 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.690104961 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.690501928 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.732094049 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.771965027 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.814507008 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.861993074 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.862031937 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.862070084 CET44349713104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:29:16.862097025 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:16.903844118 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:29:27.112786055 CET49713443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:30:24.753370047 CET49733587192.168.2.3198.54.122.60
                                                                          Feb 1, 2021 13:30:24.947505951 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:30:24.947632074 CET49733587192.168.2.3198.54.122.60
                                                                          Feb 1, 2021 13:30:25.142040968 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:30:25.150007010 CET49733587192.168.2.3198.54.122.60
                                                                          Feb 1, 2021 13:30:25.345731974 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:30:25.345933914 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:30:25.387917042 CET49733587192.168.2.3198.54.122.60
                                                                          Feb 1, 2021 13:30:25.581036091 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:30:25.626442909 CET49733587192.168.2.3198.54.122.60
                                                                          Feb 1, 2021 13:30:35.580713034 CET58749733198.54.122.60192.168.2.3
                                                                          Feb 1, 2021 13:31:18.384181976 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.424554110 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.424674034 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.659849882 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.699973106 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.708345890 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.708395958 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.708425999 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.708525896 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.712896109 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.752990961 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.757481098 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.844849110 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:18.886878014 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.906265974 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.906311989 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.906337976 CET44349742104.23.99.190192.168.2.3
                                                                          Feb 1, 2021 13:31:18.906949043 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:29.612466097 CET49742443192.168.2.3104.23.99.190
                                                                          Feb 1, 2021 13:31:42.450350046 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.490411043 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.491337061 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.494322062 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.534347057 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.537802935 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.537851095 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.537899971 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.537921906 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.539942026 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.580662966 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.581034899 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.587011099 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:42.627904892 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.646184921 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.646214008 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.646239996 CET44349746104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:42.646367073 CET49746443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.166985035 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.207155943 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.207385063 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.237140894 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.277282000 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.280203104 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.280266047 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.280311108 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.280325890 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.289315939 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.331962109 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.332104921 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.344928980 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.386651993 CET49749443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.387746096 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.413476944 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.413510084 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.413537979 CET44349748104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.413568020 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.426853895 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.427016973 CET49749443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.444993019 CET49749443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.461222887 CET49748443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.485136986 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.487859964 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.487879038 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.487889051 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.488208055 CET49749443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.489525080 CET49749443192.168.2.3104.23.98.190
                                                                          Feb 1, 2021 13:31:44.529505968 CET44349749104.23.98.190192.168.2.3
                                                                          Feb 1, 2021 13:31:44.531852961 CET44349749104.23.98.190192.168.2.3

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 1, 2021 13:28:59.216948032 CET6418553192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:28:59.264928102 CET53641858.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:00.127966881 CET6511053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:00.176038027 CET53651108.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:01.269016027 CET5836153192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:01.317019939 CET53583618.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:02.516761065 CET6349253192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:02.569441080 CET53634928.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:13.349462032 CET6083153192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:13.397661924 CET53608318.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:16.431164026 CET6010053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:16.490526915 CET53601008.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:20.900108099 CET5319553192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:20.948139906 CET53531958.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:23.858836889 CET5014153192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:23.911160946 CET53501418.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:24.810740948 CET5302353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:24.860874891 CET53530238.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:25.646713018 CET4956353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:25.696690083 CET53495638.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:26.833936930 CET5135253192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:26.882045984 CET53513528.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:28.218255997 CET5934953192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:28.279561996 CET53593498.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:29.304369926 CET5708453192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:29.352374077 CET53570848.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:31.726248980 CET5882353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:31.777128935 CET53588238.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:32.818933010 CET5756853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:32.866981030 CET53575688.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:33.843837976 CET5054053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:33.904483080 CET53505408.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:38.807836056 CET5436653192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:38.857064009 CET53543668.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:29:49.351733923 CET5303453192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:29:49.418762922 CET53530348.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:30:02.960099936 CET5776253192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:30:03.017563105 CET53577628.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:30:13.738193035 CET5543553192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:30:13.804760933 CET53554358.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:30:16.272480011 CET5071353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:30:16.331005096 CET53507138.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:30:24.550024986 CET5613253192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:30:24.606308937 CET53561328.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:30:47.385190964 CET5898753192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:30:47.437189102 CET53589878.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:01.019228935 CET5657953192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:01.077106953 CET53565798.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:18.281862020 CET6063353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:18.341321945 CET53606338.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:22.709028959 CET6129253192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:22.758601904 CET53612928.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:23.435662031 CET6361953192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:23.507647991 CET53636198.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:42.382093906 CET6493853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:42.429873943 CET53649388.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:42.933465958 CET6194653192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:42.992605925 CET53619468.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:44.069084883 CET6491053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:44.120579958 CET53649108.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:44.161408901 CET5212353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:44.220738888 CET53521238.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:44.798934937 CET5613053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:44.858637094 CET53561308.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:31:59.554116011 CET5633853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:31:59.614866018 CET53563388.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:01.269294977 CET5942053192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:01.326045990 CET53594208.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:02.431868076 CET5878453192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:02.490565062 CET53587848.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:05.613373041 CET6397853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:05.675867081 CET53639788.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:06.200283051 CET6293853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:06.256623983 CET53629388.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:06.672820091 CET5570853192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:06.732122898 CET53557088.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:07.253746986 CET5680353192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:07.311764002 CET53568038.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:07.870692015 CET5714553192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:07.930886030 CET53571458.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:08.562553883 CET5535953192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:08.613559008 CET53553598.8.8.8192.168.2.3
                                                                          Feb 1, 2021 13:32:09.056766033 CET5830653192.168.2.38.8.8.8
                                                                          Feb 1, 2021 13:32:09.114964008 CET53583068.8.8.8192.168.2.3

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Feb 1, 2021 13:29:16.431164026 CET192.168.2.38.8.8.80x3d6dStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:30:16.272480011 CET192.168.2.38.8.8.80x39c2Standard query (0)84.102.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Feb 1, 2021 13:30:24.550024986 CET192.168.2.38.8.8.80x5160Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:18.281862020 CET192.168.2.38.8.8.80xc79aStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:42.382093906 CET192.168.2.38.8.8.80x473eStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.069084883 CET192.168.2.38.8.8.80xb976Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.161408901 CET192.168.2.38.8.8.80x75b8Standard query (0)pastebin.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Feb 1, 2021 13:29:16.490526915 CET8.8.8.8192.168.2.30x3d6dNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:29:16.490526915 CET8.8.8.8192.168.2.30x3d6dNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:30:16.331005096 CET8.8.8.8192.168.2.30x39c2Name error (3)84.102.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Feb 1, 2021 13:30:24.606308937 CET8.8.8.8192.168.2.30x5160No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:18.341321945 CET8.8.8.8192.168.2.30xc79aNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:18.341321945 CET8.8.8.8192.168.2.30xc79aNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:42.429873943 CET8.8.8.8192.168.2.30x473eNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:42.429873943 CET8.8.8.8192.168.2.30x473eNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:42.992605925 CET8.8.8.8192.168.2.30xd1ecNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.120579958 CET8.8.8.8192.168.2.30xb976No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.120579958 CET8.8.8.8192.168.2.30xb976No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.220738888 CET8.8.8.8192.168.2.30x75b8No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                          Feb 1, 2021 13:31:44.220738888 CET8.8.8.8192.168.2.30x75b8No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          Feb 1, 2021 13:29:16.645644903 CET104.23.98.190443192.168.2.349713CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                          Feb 1, 2021 13:31:18.708425999 CET104.23.99.190443192.168.2.349742CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                          Feb 1, 2021 13:31:42.537899971 CET104.23.98.190443192.168.2.349746CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                          Feb 1, 2021 13:31:44.280311108 CET104.23.98.190443192.168.2.349748CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                          Feb 1, 2021 13:31:44.487889051 CET104.23.98.190443192.168.2.349749CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          Feb 1, 2021 13:30:25.142040968 CET58749733198.54.122.60192.168.2.3220 PrivateEmail.com prod Mail Node
                                                                          Feb 1, 2021 13:30:25.150007010 CET49733587192.168.2.3198.54.122.60EHLO 878164
                                                                          Feb 1, 2021 13:30:25.345933914 CET58749733198.54.122.60192.168.2.3250-mta-14.privateemail.com
                                                                          250-PIPELINING
                                                                          250-SIZE 81788928
                                                                          250-ETRN
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250 STARTTLS
                                                                          Feb 1, 2021 13:30:25.387917042 CET49733587192.168.2.3198.54.122.60STARTTLS
                                                                          Feb 1, 2021 13:30:25.581036091 CET58749733198.54.122.60192.168.2.3220 Ready to start TLS

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: POinv00393.exe PID: 6708 Parent PID: 5692

                                                                          General

                                                                          Start time:13:29:05
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0xe70000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: powershell.exe PID: 6892 Parent PID: 6708

                                                                          General

                                                                          Start time:13:29:14
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
                                                                          Imagebase:0xcc0000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6900 Parent PID: 6892

                                                                          General

                                                                          Start time:13:29:14
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 6916 Parent PID: 6708

                                                                          General

                                                                          Start time:13:29:14
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
                                                                          Imagebase:0xcc0000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6964 Parent PID: 6916

                                                                          General

                                                                          Start time:13:29:15
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 6980 Parent PID: 6708

                                                                          General

                                                                          Start time:13:29:15
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
                                                                          Imagebase:0xcc0000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 7072 Parent PID: 6980

                                                                          General

                                                                          Start time:13:29:15
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 7080 Parent PID: 6708

                                                                          General

                                                                          Start time:13:29:15
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
                                                                          Imagebase:0xcc0000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 7128 Parent PID: 7080

                                                                          General

                                                                          Start time:13:29:16
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: POinv00393.exe PID: 2100 Parent PID: 6708

                                                                          General

                                                                          Start time:13:29:23
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\POinv00393.exe
                                                                          Imagebase:0x800000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: POinv00393.exe PID: 6464 Parent PID: 3388

                                                                          General

                                                                          Start time:13:29:26
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0xe10000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: POinv00393.exe PID: 5436 Parent PID: 3388

                                                                          General

                                                                          Start time:13:29:35
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0x780000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: POinv00393.exe PID: 2296 Parent PID: 3388

                                                                          General

                                                                          Start time:13:29:44
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0x110000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: POinv00393.exe PID: 1784 Parent PID: 3388

                                                                          General

                                                                          Start time:13:29:52
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0xcc0000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: POinv00393.exe PID: 5404 Parent PID: 3388

                                                                          General

                                                                          Start time:13:30:01
                                                                          Start date:01/02/2021
                                                                          Path:C:\Users\user\Desktop\POinv00393.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\POinv00393.exe'
                                                                          Imagebase:0x740000
                                                                          File size:4552704 bytes
                                                                          MD5 hash:E0DB9D12220A5099BD1EBFEFC0CCDCFE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:low

                                                                          Analysis Process: WerFault.exe PID: 5556 Parent PID: 2100

                                                                          General

                                                                          Start time:13:30:26
                                                                          Start date:01/02/2021
                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
                                                                          Imagebase:0x370000
                                                                          File size:434592 bytes
                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:high

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >