Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YPzNsfg4nR.exe

Overview

General Information

Sample name:YPzNsfg4nR.exe
renamed because original name is a hash value
Original sample name:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6.exe
Analysis ID:1585127
MD5:47f35ed89ba0b7756cc4d268e7516f55
SHA1:714b90afdccaee669f5e2edd1b8680c4631cffa0
SHA256:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6
Tags:exeuser-zhuzhu0009
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YPzNsfg4nR.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\YPzNsfg4nR.exe" MD5: 47F35ED89BA0B7756CC4D268E7516F55)
    • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 24572628.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\24572628.exe" MD5: FFD51738DC3483954A7BCDFAF713DB10)
      • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7536 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • coding (PID: 5384 cmdline: C:\ProgramData\coding MD5: FFD51738DC3483954A7BCDFAF713DB10)
  • OpenWith.exe (PID: 7752 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 7736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 3536 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • coding (PID: 8084 cmdline: C:\ProgramData\coding MD5: FFD51738DC3483954A7BCDFAF713DB10)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["usb-alignment.gl.at.ply.gg"], "Port": 39219, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\codingJoeSecurity_XWormYara detected XWormJoe Security
    C:\ProgramData\codingJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\ProgramData\codingrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xcc77:$str01: $VB$Local_Port
      • 0xccc0:$str02: $VB$Local_Host
      • 0xaf88:$str03: get_Jpeg
      • 0xb5d4:$str04: get_ServicePack
      • 0xe748:$str05: Select * from AntivirusProduct
      • 0xf0a6:$str06: PCRestart
      • 0xf0ba:$str07: shutdown.exe /f /r /t 0
      • 0xf16c:$str08: StopReport
      • 0xf142:$str09: StopDDos
      • 0xf238:$str10: sendPlugin
      • 0xf3b8:$str12: -ExecutionPolicy Bypass -File "
      • 0xfd04:$str13: Content-length: 5235
      C:\ProgramData\codingMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe16c:$s6: VirtualBox
      • 0xe0ca:$s8: Win32_ComputerSystem
      • 0x10c19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10cb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10dcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xfc1f:$cnc4: POST / HTTP/1.1
      C:\Users\user\Desktop\24572628.exeJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xdf6c:$s6: VirtualBox
          • 0xdeca:$s8: Win32_ComputerSystem
          • 0x10a19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10ab6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10bcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xfa1f:$cnc4: POST / HTTP/1.1
          00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xfdb4:$s6: VirtualBox
            • 0xfd12:$s8: Win32_ComputerSystem
            • 0x12861:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x128fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x12a13:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x11867:$cnc4: POST / HTTP/1.1
            00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.24572628.exe.340000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                3.0.24572628.exe.340000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  3.0.24572628.exe.340000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                  • 0xcc77:$str01: $VB$Local_Port
                  • 0xccc0:$str02: $VB$Local_Host
                  • 0xaf88:$str03: get_Jpeg
                  • 0xb5d4:$str04: get_ServicePack
                  • 0xe748:$str05: Select * from AntivirusProduct
                  • 0xf0a6:$str06: PCRestart
                  • 0xf0ba:$str07: shutdown.exe /f /r /t 0
                  • 0xf16c:$str08: StopReport
                  • 0xf142:$str09: StopDDos
                  • 0xf238:$str10: sendPlugin
                  • 0xf3b8:$str12: -ExecutionPolicy Bypass -File "
                  • 0xfd04:$str13: Content-length: 5235
                  3.0.24572628.exe.340000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe16c:$s6: VirtualBox
                  • 0xe0ca:$s8: Win32_ComputerSystem
                  • 0x10c19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x10cb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x10dcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xfc1f:$cnc4: POST / HTTP/1.1
                  0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\coding, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\24572628.exe, ProcessId: 7544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coding
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\ProgramData\coding, CommandLine: C:\ProgramData\coding, CommandLine|base64offset|contains: , Image: C:\ProgramData\coding, NewProcessName: C:\ProgramData\coding, OriginalFileName: C:\ProgramData\coding, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\ProgramData\coding, ProcessId: 5384, ProcessName: coding
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\24572628.exe, ProcessId: 7544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnk
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7736, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-07T06:02:05.111357+010028559241Malware Command and Control Activity Detected192.168.2.550007147.185.221.2139219TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: usb-alignment.gl.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\codingAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\Desktop\24572628.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["usb-alignment.gl.at.ply.gg"], "Port": 39219, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\codingReversingLabs: Detection: 91%
                    Source: C:\Users\user\Desktop\24572628.exeReversingLabs: Detection: 91%
                    Multi AV Scanner detection for submitted file
                    Source: YPzNsfg4nR.exeVirustotal: Detection: 16%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\ProgramData\codingJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\24572628.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: YPzNsfg4nR.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: usb-alignment.gl.at.ply.gg
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: 39219
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: <123456789>
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: <Xwormmm>
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: XWorm V5.6
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: USB.exe
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: %ProgramData%
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: coding
                    Source: YPzNsfg4nR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdbSHA256J source: YPzNsfg4nR.exe
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdb source: YPzNsfg4nR.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49999 -> 147.185.221.21:39219
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50007 -> 147.185.221.21:39219
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: usb-alignment.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.5:49999 -> 147.185.221.21:39219
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: usb-alignment.gl.at.ply.gg
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: svchost.exe, 00000013.00000002.3423579528.00000284AE4BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: qmgr.db.19.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, 24572628.exe, 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, coding.3.dr, 24572628.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.2639330504.0000021EE8762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000013.00000003.3002178502.00000284B3A70000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000B.00000002.2639330504.0000021EE878B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5n
                    Source: powershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: qmgr.db.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A412903_2_00007FF848A41290
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A46E723_2_00007FF848A46E72
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A417193_2_00007FF848A41719
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A460C63_2_00007FF848A460C6
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A4108D3_2_00007FF848A4108D
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A420F13_2_00007FF848A420F1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B130E74_2_00007FF848B130E7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848B330E98_2_00007FF848B330E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B42E1113_2_00007FF848B42E11
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A7171917_2_00007FF848A71719
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A720F117_2_00007FF848A720F1
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A7103817_2_00007FF848A71038
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A3171921_2_00007FF848A31719
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A320F121_2_00007FF848A320F1
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A3103821_2_00007FF848A31038
                    Source: YPzNsfg4nR.exeStatic PE information: No import functions for PE file found
                    Source: YPzNsfg4nR.exe, 00000000.00000000.2176160386.0000020868AC6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1fht7W0d34QhN.exe< vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexingping.exe4 vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2274202770.0000020868C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexiW vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exeBinary or memory string: OriginalFilename1fht7W0d34QhN.exe< vs YPzNsfg4nR.exe
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: YPzNsfg4nR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: YPzNsfg4nR.exe, Loader.csCryptographic APIs: 'CreateDecryptor'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 24572628.exe.0.dr, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@24/28@2/3
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile created: C:\Users\user\Desktop\xxx.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4288:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                    Source: C:\ProgramData\codingMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                    Source: C:\Users\user\Desktop\24572628.exeMutant created: \Sessions\1\BaseNamedObjects\HAzSfCvWFIXriVXa
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: YPzNsfg4nR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: YPzNsfg4nR.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: YPzNsfg4nR.exeVirustotal: Detection: 16%
                    Source: unknownProcess created: C:\Users\user\Desktop\YPzNsfg4nR.exe "C:\Users\user\Desktop\YPzNsfg4nR.exe"
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe"
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\ProgramData\coding C:\ProgramData\coding
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\ProgramData\coding C:\ProgramData\coding
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"Jump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\ProgramData\codingSection loaded: mscoree.dll
                    Source: C:\ProgramData\codingSection loaded: apphelp.dll
                    Source: C:\ProgramData\codingSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\codingSection loaded: version.dll
                    Source: C:\ProgramData\codingSection loaded: vcruntime140_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: uxtheme.dll
                    Source: C:\ProgramData\codingSection loaded: sspicli.dll
                    Source: C:\ProgramData\codingSection loaded: cryptsp.dll
                    Source: C:\ProgramData\codingSection loaded: rsaenh.dll
                    Source: C:\ProgramData\codingSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\ProgramData\codingSection loaded: mscoree.dll
                    Source: C:\ProgramData\codingSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\codingSection loaded: version.dll
                    Source: C:\ProgramData\codingSection loaded: vcruntime140_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: uxtheme.dll
                    Source: C:\ProgramData\codingSection loaded: sspicli.dll
                    Source: C:\ProgramData\codingSection loaded: cryptsp.dll
                    Source: C:\ProgramData\codingSection loaded: rsaenh.dll
                    Source: C:\ProgramData\codingSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                    Source: coding.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\coding
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: YPzNsfg4nR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: YPzNsfg4nR.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: YPzNsfg4nR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: YPzNsfg4nR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdbSHA256J source: YPzNsfg4nR.exe
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdb source: YPzNsfg4nR.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: YPzNsfg4nR.exeStatic PE information: 0xA7BF61F9 [Sat Mar 8 08:25:29 2059 UTC]
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A400BD pushad ; iretd 3_2_00007FF848A400C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF84892D2A5 pushad ; iretd 4_2_00007FF84892D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4B98C push ecx; retf 4_2_00007FF848A4B9F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4351D pushfd ; ret 4_2_00007FF848A43552
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4B9FA push edx; retf 4_2_00007FF848A4BA02
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4BA03 push ecx; retf 4_2_00007FF848A4B9F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A42648 push cs; ret 4_2_00007FF848A42692
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428B5 pushad ; ret 4_2_00007FF848A428BA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428E3 pushad ; ret 4_2_00007FF848A42901
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428BB pushad ; ret 4_2_00007FF848A42901
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4280B push edx; ret 4_2_00007FF848A42862
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B12316 push 8B485F94h; iretd 4_2_00007FF848B1231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF84894D2A5 pushad ; iretd 8_2_00007FF84894D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A5F5 push edx; retf 8_2_00007FF848A6A64A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A63C push edx; retf 8_2_00007FF848A6A64A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A70C push esi; retf 8_2_00007FF848A6A74A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848B32316 push 8B485F92h; iretd 8_2_00007FF848B3231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF84894D2A5 pushad ; iretd 11_2_00007FF84894D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A99C push esi; retf 11_2_00007FF848A6A9AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A785 push edx; retf 11_2_00007FF848A6A7DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A7CC push edx; retf 11_2_00007FF848A6A7DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A90C push esi; retf 11_2_00007FF848A6A90D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A976 push esi; retf 11_2_00007FF848A6A98A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A945 push esi; retf 11_2_00007FF848A6A946
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A8AB push esi; retf 11_2_00007FF848A6A8DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A89C push edx; retf 11_2_00007FF848A6A8AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A876 push edx; retf 11_2_00007FF848A6A88A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A619DA pushad ; ret 11_2_00007FF848A619E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848B32316 push 8B485F92h; iretd 11_2_00007FF848B3231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF84895D2A5 pushad ; iretd 13_2_00007FF84895D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B42316 push 8B485F91h; iretd 13_2_00007FF848B4231B
                    Source: YPzNsfg4nR.exeStatic PE information: section name: .text entropy: 7.988299230220677
                    Source: 24572628.exe.0.dr, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: 24572628.exe.0.dr, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: 24572628.exe.0.dr, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: 24572628.exe.0.dr, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: 24572628.exe.0.dr, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: 24572628.exe.0.dr, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: 24572628.exe.0.dr, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: coding.3.dr, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: coding.3.dr, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: coding.3.dr, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: coding.3.dr, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: coding.3.dr, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: coding.3.dr, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: coding.3.dr, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile created: C:\Users\user\Desktop\24572628.exeJump to dropped file
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnkJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnkJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run codingJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run codingJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, 24572628.exe, 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, coding.3.dr, 24572628.exe.0.drBinary or memory string: SBIEDLL.DLLY7WSCZEMVG3SCUE2KEQXU280Z45LZRXBPLAGFMYKOAMGSYZVCJ3QOVQATHWYJKQZYJQFQPTMMQGYFD9IEFKNQ32XQJYVBVQSNHRI8MWCYCJLBQDICU7XN5RMWYDJWWBVMQIHLJZYMV4R2E3INK1OPZMXDPIEODQZN4PGVMODTDY1S9FO5AQQYKZNRTFYJEURF0LIPCFKPBHPW0TP9GLJ5SYGGQ0PQRZFWY3VNU5N7ZXJTAIIF8Y8JWS0JWQZXGGS56FJXVB9KS11CRYB9MO6CFKM44TLLLLSIOLK0SLCFDG5B7OKSXEXUSFEW4DY0SLRAV2DZQOXBAD6DHPJDUVQEYMAE9EONC5N2WIVEPHXYQCHZZMQCFY0EGPQLSXIIH6Y5L7H3DUDMARCGXLVDHHQNY7MLEV9OHL1XX9WMRJQWYLARFRC98RMASSU77R7O9E2T5YWQHBWRCEDZE7DZVEGE8JZJNMKWQRTMZ3RVO4YWDSXA5PYEJSGHLMJ4TM4KJEOSUGK5ZQ2LVDMLBGSACRI4FHA70WWYFHEAXGJPVRPIMMIJ7OQS4FQTQTCW3RLPMDRQPSXCUZYAYZR7FPXJHQBRZ07BCWMY6T8E1CGIAFO8YT6XGFWQTSCMLINFO
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: 20868E00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: 2086A700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeMemory allocated: A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeMemory allocated: 1A5E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\codingMemory allocated: 670000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 1A430000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 12B0000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 1AD50000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\24572628.exeWindow / User API: threadDelayed 9337Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeWindow / User API: threadDelayed 510Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6223Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3608Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7409Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2189Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7415Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2019Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7418
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2201
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exe TID: 7472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exe TID: 5324Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep count: 7409 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep count: 2189 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180Thread sleep count: 7415 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4796Thread sleep count: 2019 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 7418 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 2201 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\ProgramData\coding TID: 3440Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 8060Thread sleep time: -30000s >= -30000s
                    Source: C:\ProgramData\coding TID: 8072Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\codingFile Volume queried: C:\ FullSizeInformation
                    Source: C:\ProgramData\codingFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: 24572628.exe.0.drBinary or memory string: vmware
                    Source: svchost.exe, 00000013.00000002.3423237128.00000284AE42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                    Source: svchost.exe, 00000013.00000002.3424437338.00000284AF858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 24572628.exe, 00000003.00000002.3436634276.000000001B3C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\24572628.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A47A81 CheckRemoteDebuggerPresent,3_2_00007FF848A47A81
                    Source: C:\Users\user\Desktop\24572628.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\ProgramData\codingProcess token adjusted: Debug
                    Source: C:\ProgramData\codingProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"Jump to behavior
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeQueries volume information: C:\Users\user\Desktop\YPzNsfg4nR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeQueries volume information: C:\Users\user\Desktop\24572628.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\ProgramData\codingQueries volume information: C:\ProgramData\coding VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\ProgramData\codingQueries volume information: C:\ProgramData\coding VolumeInformation
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 24572628.exe, 00000003.00000002.3436634276.000000001B40E000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3436634276.000000001B45A000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3436634276.000000001B3C3000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3422310755.00000000008E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YPzNsfg4nR.exe PID: 7332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 24572628.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YPzNsfg4nR.exe PID: 7332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 24572628.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory33
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		Security Account Manager551
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Registry Run Keys / Startup Folder                    		22
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets161
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job161
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585127 Sample: YPzNsfg4nR.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 52 usb-alignment.gl.at.ply.gg 2->52 54 ip-api.com 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 12 other signatures 2->68 9 YPzNsfg4nR.exe 7 2->9         started        13 coding 2->13         started        15 svchost.exe 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 48 C:\Users\user\Desktop\24572628.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\YPzNsfg4nR.exe.log, CSV 9->50 dropped 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->78 20 24572628.exe 15 6 9->20         started        25 conhost.exe 9->25         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 60 127.0.0.1 unknown unknown 15->60 file6 signatures7 process8 dnsIp9 56 usb-alignment.gl.at.ply.gg 147.185.221.21, 39219, 49999, 50007 SALSGIVERUS United States 20->56 58 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 20->58 46 C:\ProgramData\coding, PE32 20->46 dropped 70 Antivirus detection for dropped file 20->70 72 Multi AV Scanner detection for dropped file 20->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->74 76 7 other signatures 20->76 27 powershell.exe 22 20->27         started        30 powershell.exe 23 20->30         started        32 powershell.exe 23 20->32         started        34 2 other processes 20->34 file10 signatures11 process12 signatures13 86 Loading BitLocker PowerShell Module 27->86 36 conhost.exe 27->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 34->44         started        process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.